FirstBlood-#274 — Open Redirect on /login.php via goto body parameter
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-15, iffu reported:
I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'
Steps to Reproduce
- Visit /login.php
- Give your credentials and login.
- Capture this request in burp.
- Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
- This is being reflected in top.location.href in the body.
- Now you will be redirected to attacker controlled domain.
- The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.
Thanks zseano and please let me know if you need any more info regarding this bug
This report has been publicly disclosed for everyone to view
FirstBlood ID: 2
Vulnerability Type: Reflective XSS
The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.
Creator & Administrator
Hi iffu, there is actually an XSS bug here which has more impact and was the intended bug here :) you will be able to see disclosed reports on this soon, and i'm triaging it as the xss bug to categorise it with it
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.