FirstBlood-#274 — Open Redirect on /login.php via goto body parameter
This issue was discovered on FirstBlood v1
On 2021-05-15, iffu reported:
I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'
Steps to Reproduce
- Visit /login.php
- Give your credentials and login.
- Capture this request in burp.
- Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
- This is being reflected in top.location.href in the body.
- Now you will be redirected to attacker controlled domain.
- The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.
Thanks zseano and please let me know if you need any more info regarding this bug
FirstBlood ID: 2
Vulnerability Type: Reflective XSS
The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.