FirstBlood-#274Open Redirect on /login.php via goto body parameter



On 2021-05-15, iffu reported:

Hi zseano

Summary

I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'

Steps to Reproduce

  • Visit /login.php
  • Give your credentials and login.
  • Capture this request in burp.
  • Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
  • This is being reflected in top.location.href in the body.
  • Now you will be redirected to attacker controlled domain.

Impact

  • The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.

Thanks zseano and please let me know if you need any more info regarding this bug

P4 Low

Endpoint: /login.php

Parameter: goto

Payload: https://www.evil.com


FirstBlood ID: 2
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.

Report Feedback

@zseano

Creator & Administrator


Hi iffu, there is actually an XSS bug here which has more impact and was the intended bug here :) you will be able to see disclosed reports on this soon, and i'm triaging it as the xss bug to categorise it with it


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.