FirstBlood-#759 — Reflected XSS on register.php leads to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-28, vigilante reported:
There is a reflected XSS on /register.php page that was vulnerable in V1 and can easily be reproduced in V2. The script executes when a user clicks on the "Return to previous page" button.
This vulnerability can be used for account takeover by stealing user's cookies if the user is logged in.
Steps to Reproduce:
- The XSS will fire and you'll see an alert box with the document domain.
- We can then steal cookies. I am running a python http server on a VPS box that captures the header and url.
- Use this payload to steal cookies which send them to my server, navigate to the url again and click on "Return to previous page".
- Captured request. 188.8.131.52 - - [28/Oct/2021 06:45:32] "GET /drps=1d6b68c2ab7581821c793d361 HTTP/1.1" 404 -
FirstBlood ID: 32
Vulnerability Type: Reflective XSS
The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as
%09 will also bypass the filter.