FirstBlood-#427Reflective XSS at /login.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, d20s84 Level 3 reported:

Hi Sean! Hope you are doing well!! I found a reflective xss on the doctor login page.

Summary:

Javascript could be in injected into the /login.php endpoint through a hidden parameter leading to reflective XSS.

Steps:

  1. Look into the source Code. There is a hidden parameter named goto .
  2. Craft the URL with goto as a query string.
  3. Submit the above provided payload and hit Enter. 4.Boom! The payload triggers!!

Impact:

Cross site scripting can lead to various devastating attacks such as stealing cookie for user impersonation and many more.

Image below shows the triggered payload. **Image below shows how the website looks after the ok button to the alert box is pressed.

P3 Medium

Endpoint: /login.php?goto={payload}

Parameter: goto=

Payload: "><scr<script>ipt>alealertrt`1`<%2Fscr<%2Fscript>ipt>


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.