FirstBlood-#869 — Reflected XSS on login.php using Referer header
This issue was discovered on FirstBlood v2
On 2021-10-29, xnl-h4ck3r reported:
A reflected XSS vulnerability exists on the
/login.php. This can be abused by an attacker to host a link on their own site that, if clicked, will direct the victim to the First Blood login page. If the user is fires the payload, it can leak the users cookies to the attacker.
Steps to reproduce
/login.phpand log is an an admin user.
An attacker would create a link on their own site, e.g. attacker.com, on the example page
'onmouseover='alert(document.cookie)for example that will link to First Blood
/login.phpso the Referer header would be set to
Referer: https://attacker.com/'onmouseover='alert(document.cookie). To simulate this, create the following GET reuest in Burp:
GET /login.php HTTP/1.1 Host: 1b2344d44dcc-xnl-h4ck3r.a.firstbloodhackers.com Referer: https://attacker.com/'onmouseover='alert(document.cookie)
Right click the request and select Request in browser -> In original session, and select Copy:
Paste the URL into the browser running through Burp.
When the page loads, move the mouse pointer over the link Return to previosu page:
The XSS payload from the Referer header is fired. You can see from the response how the payload works because it is not santised correctly whren added to the
Return to previous pagehref attribute:
This vulnerability allows an attacker to get a users cookie and therefore login as that user. The impact is low because the attacker would have to get the victim to visit their site, go to a particular page that has a name of the payload, and click a login link. The user would have to already logged in to First Blood AND move the mouse pointer of the Return to previous page link. The payload shown here requires some user interaction, but does work in all browsers.
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of
$_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.