FirstBlood-#274 — Open Redirect on /login.php via goto body parameter
This issue was discovered on FirstBlood v1
On 2021-05-15, iffu Level 5 reported:
Hi zseano
Summary
I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'
Steps to Reproduce
- Visit /login.php
- Give your credentials and login.
- Capture this request in burp.
- Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
- This is being reflected in top.location.href in the body.
- Now you will be redirected to attacker controlled domain.
Impact
- The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.
Thanks zseano and please let me know if you need any more info regarding this bug
P4 Low
Endpoint: /login.php
Parameter: goto
Payload: https://www.evil.com
FirstBlood ID: 2
Vulnerability Type: Reflective XSS
The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.
Creator & Administrator
Hi iffu, there is actually an XSS bug here which has more impact and was the intended bug here :) you will be able to see disclosed reports on this soon, and i'm triaging it as the xss bug to categorise it with it