FirstBlood-#274 — Open Redirect on /login.php via goto body parameter
This issue was discovered on FirstBlood v1
On 2021-05-15, iffu Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi zseano
Summary
I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'
Steps to Reproduce
- Visit /login.php
- Give your credentials and login.
- Capture this request in burp.
- Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
- This is being reflected in top.location.href in the body.
- Now you will be redirected to attacker controlled domain.
Impact
- The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.
Thanks zseano and please let me know if you need any more info regarding this bug
P4 Low
Endpoint: /login.php
Parameter: goto
Payload: https://www.evil.com
FirstBlood ID: 2
Vulnerability Type: Reflective XSS
The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.
Report Feedback
Creator & Administrator
Hi iffu, there is actually an XSS bug here which has more impact and was the intended bug here :) you will be able to see disclosed reports on this soon, and i'm triaging it as the xss bug to categorise it with it