FirstBlood-#212 — Reflective XSS on Login page (requiring interaction), leading to leak of PII data
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-12, xnl-h4ck3r reported:
An XSS vulnerability exists on
/login.php that allows an attacker to craft a URL which if clicked will take the user to the login page.
ref parameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g.
An XSS payload can be used so if the user clicks the Return to previous page link, any cookies that may be present can be leaked to the attacker.
Steps to Reproduce
- Click the link
- Observe the payload fires and if there are anuy cookies present, they will be leaked:
NOTE: This cookie can be sent to attackers server
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.php and observe that you are now logged in as admin and view patient data.
If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the Return to previous page link is present.
The attack requires the victim to click the link on the site whcih can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).
This report has been publicly disclosed for everyone to view
FirstBlood ID: 3
Vulnerability Type: Reflective XSS
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.