FirstBlood-#455Reflected XSS at Login.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, mrrootsec Level 2 reported:

Hello Zseano Hope you are doing well

Description:

On Firstbloodv2 at /login.php endpoint goto parameter is accepting the user input without proper filtering.

Steps to Reproduce the Issue :

  1. Navigate to https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/login.php

  2. At the end of the URL add the accepted parameters along with xss payloads like below

    https://60a81d3c72d0-mrrootsec.a.firstbloodhackers.com/login.php?goto=javascript:confirm\x28document.cookie\x29

  3. Provide Valid Credentials & Click on Login..you will presented with XSS Popup

Impact :

  1. As an attacker i can steal of user session cookies and an administrative account cookie, the attacker can gain administrative access to the entire application. Sometimes this vulnerability can leads to Credential theft and Sensitive Data Leakage.

Remediation / Fix :

  1. Implement Input Validation Input validation is the process of ensuring that a web application returns only trusted and proper data in order to prevent malicious data from entering the system and causing harm to the site, users, and database.

  2. Set the HTTPOnly flag of your session cookie and other custom cookies you may have that are not accessed by any JavaScript code.

  3. Another great way of mitigating the impact of an XSS flaw can be implementing a robust content security policy

  4. Use Security Headers Set the X-XSS protection header to “X-XSS-Protection: 0” to disable the XSS Auditor, preventing it from taking the default browser to handle responses.

References :

  1. https://rules.sonarsource.com/php/RSPEC-5131

Thanks and Regards - MOHAMMAD SAQLAIN

P3 Medium

Endpoint: /login.php

Parameter: ?goto

Payload: javascript:confirm\x28document.cookie\x29


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.