FirstBlood-#211 — Reflected xss on login.php leads to account takeover
This issue was discovered on FirstBlood v1.0.0
On 2021-05-12, 0xblackbird reported:
Hello Zseano! I hope you're doing well today! I found another reflective cross-site scripting issue! This one works on every browser :)!
Steps to reproduce
- Press Ctrl+U or append view-source: infront of the url in your urlbar. This will allow you to view the source code of the webpage.
- Next, scroll down to line ~104, you'll see that we were able to breakout of the attribute.
- We can now go ahead and use a simple payload such as
">is needed else it will still be a hidden field, later more on that). And the confirm box will popup! We successfully got xss:
- Now this is just a simple xss, but if the administrator was logged in and an attacker sent him a special crafted link like the following one, his cookies will get stolen and the admin account will be gone. Payload:
I was able to takeover an (admin) account by stealing the cookies. This happend because user input was not handled safely and made the
I first went for some payloads that needed user interaction on Firefox but worked pretty fine on other browsers. I quickly realised that the value attribute was infront of the type attribute, this meant that if I closed of the tag that it won't be a hidden form input anymore. For the PoC I just went for stealing the cookies since we are a bit quite limited with only having backticks. I'm pretty sure I can make the payload less noisy but still haven't found a way to do so! Thanks for the fun challenge!
Kind regards, 0xblackbird
FirstBlood ID: 2
Vulnerability Type: Reflective XSS
The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.