Summary

A reflected XSS vulnerability exists on the Referer header of /login.php. This can be abused by an attacker to host a link on their own site that, if clicked, will direct the victim to the First Blood login page. If the user is fires the payload, it can leak the users cookies to the attacker.

Steps to reproduce

1. Go to /login.php and log is an an admin user.

2. An attacker would create a link on their own site, e.g. attacker.com, on the example page 'onmouseover='alert(document.cookie) for example that will link to First Blood /login.php so the Referer header would be set to Referer: https://attacker.com/'onmouseover='alert(document.cookie). To simulate this, create the following GET reuest in Burp:

   GET /login.php HTTP/1.1
   Host: 1b2344d44dcc-xnl-h4ck3r.a.firstbloodhackers.com
   Referer: https://attacker.com/'onmouseover='alert(document.cookie)

3. Right click the request and select Request in browser -> In original session, and select Copy:

4. Paste the URL into the browser running through Burp.

5. When the page loads, move the mouse pointer over the link Return to previosu page:

6. The XSS payload from the Referer header is fired. You can see from the response how the payload works because it is not santised correctly whren added to the Return to previous page href attribute:

Impact

This vulnerability allows an attacker to get a users cookie and therefore login as that user. The impact is low because the attacker would have to get the victim to visit their site, go to a particular page that has a name of the payload, and click a login link. The user would have to already logged in to First Blood AND move the mouse pointer of the Return to previous page link. The payload shown here requires some user interaction, but does work in all browsers.