FirstBlood-#443 — Goto parameter is still vulnerable to Reflective XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, kinako reported:
Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.
/login.phpendpoint has a hidden param called
goto, this was vulnerable to Reflective XSS on firstblood v1, and so is Firstblood v2.
First of all, if we add
/login.php, then it's reflected in
<input name="goto" value="hoge" type="hidden">.
Next, if we input XSS payload, then the server-side sanitizes it.
From my research,
()parentheses are stripped
- specific words like
<.*>→if we use less than and greater than, then letters between them are stripped
So I create a PoC to bypass these filters.
And it works.
- Firstblood v2 has no HttpOnly attribute in session cookie so the attackers can steal victim's session cookie easily by performing this XSS
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.