FirstBlood-#317[COLLAB with isitbug] Reflected XSS bypassed
This issue was discovered on FirstBlood v2

On 2021-10-25, shreky Level 5 reported:

Summary

This bug wasn't even patched,come on dev team :D.The previous XSS bug on /login.php using the hidden parameter goto is still not patched,we can use the payload "><scr<script>ipt>confirm`1`</scr</script>ipt> and the script will execute.Apart from this,since the goto parameter is used as a redirect,we can also make use of javascript URIs by doing javascript:confirm`1` and upon entering valid credentials and clicking on Secure Login the alert box will pop up.

Steps to reproduce

  1. Visit /login.php?goto="><scr<script>ipt>confirm`1`</scr</script>ipt>
    1a. Or /login.php?goto=javascript:confirm`1`
  2. Alert pops
    2a. Once you input valid credentials and click on SECURE LOGIN the alert will pop

Impact

Reflected XSS that executes without user input AND through javascript URIs when the victim proceeds to login.

XSS PoC through first method-->

XSS through javascript URI (logging in after entering valid creds)-->

P3 Medium

Endpoint: /login.php

This report contains multiple vulnerabilities:

  • Reflective XSS
  • Reflective XSS

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.

FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.