FirstBlood-#869Reflected XSS on login.php using Referer header
This issue was discovered on FirstBlood v2

On 2021-10-29, xnl-h4ck3r Level 4 reported:


A reflected XSS vulnerability exists on the Referer header of /login.php. This can be abused by an attacker to host a link on their own site that, if clicked, will direct the victim to the First Blood login page. If the user is fires the payload, it can leak the users cookies to the attacker.

Steps to reproduce

  1. Go to /login.php and log is an an admin user.

  2. An attacker would create a link on their own site, e.g., on the example page 'onmouseover='alert(document.cookie) for example that will link to First Blood /login.php so the Referer header would be set to Referer:'onmouseover='alert(document.cookie). To simulate this, create the following GET reuest in Burp:

    GET /login.php HTTP/1.1
  3. Right click the request and select Request in browser -> In original session, and select Copy:

  4. Paste the URL into the browser running through Burp.

  5. When the page loads, move the mouse pointer over the link Return to previosu page:

  6. The XSS payload from the Referer header is fired. You can see from the response how the payload works because it is not santised correctly whren added to the Return to previous page href attribute:


This vulnerability allows an attacker to get a users cookie and therefore login as that user. The impact is low because the attacker would have to get the victim to visit their site, go to a particular page that has a name of the payload, and click a login link. The user would have to already logged in to First Blood AND move the mouse pointer of the Return to previous page link. The payload shown here requires some user interaction, but does work in all browsers.

P3 Medium

Endpoint: /login.php

Parameter: Referer header


FirstBlood ID: 19
Vulnerability Type: Reflective XSS

The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.

Report Feedback


Creator & Administrator

Nice find, thanks for providing a working PoC! Actually for this I was only able to reproduce a working PoC on internet explorer as it seems for me the ' character is encoded on latest versions of chrome/firefox, but perhaps I need to play some more and test further