FirstBlood-#443Goto parameter is still vulnerable to Reflective XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, kinako Level 5 reported:

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

/login.php endpoint has a hidden param called goto, this was vulnerable to Reflective XSS on firstblood v1, and so is Firstblood v2.

Vulnerability Description(PoC)

First of all, if we add goto=hoge on /login.php, then it's reflected in <input name="goto" value="hoge" type="hidden">.

Next, if we input XSS payload, then the server-side sanitizes it.

From my research,

  • () parentheses are stripped
  • specific words like alert is stripped
  • <.*>→if we use less than and greater than, then letters between them are stripped

So I create a PoC to bypass these filters. goto=hoge"/onmouseenter="confirmXSS"/a=

And it works.

Impact

  • Firstblood v2 has no HttpOnly attribute in session cookie so the attackers can steal victim's session cookie easily by performing this XSS
  • Phishing

Regards, kinako

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: goto=hoge"/onmouseenter="confirm`XSS`"/a=


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.