FirstBlood-#212 — Reflective XSS on Login page (requiring interaction), leading to leak of PII data
On 2021-05-12, xnl-h4ck3r reported:
An XSS vulnerability exists on
/login.phpthat allows an attacker to craft a URL which if clicked will take the user to the login page. The
refparameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g.
ref=/\/attacker.com. An XSS payload can be used so if the user clicks the Return to previous page link, any cookies that may be present can be leaked to the attacker.
Steps to Reproduce
- Click the link
- Observe the payload fires and if there are anuy cookies present, they will be leaked:
NOTE: This cookie can be sent to attackers server
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.phpand observe that you are now logged in as admin and view patient data.
If an attacker can phish a user to click the link containing the payload, they can direct them to the Login page where the Return to previous page link is present. The attack requires the victim to click the link on the site whcih can then redirect the user to the attackers website (where they could phish for login details again), or could send any cookies the user has to the attacker (which can be used to access the admin panel and reveal PII information).
FirstBlood ID: 3
Vulnerability Type: Reflective XSS