FirstBlood-#465 — Reflected XSS on /login.php through the "goto" parameter leading to ATO
This issue was discovered on FirstBlood v2 (issues patched)
On 2021-10-25, holybugx reported:
Reflected XSS on
/login.phpis possible through the hidden
gotoparameter, which leads to various user's account takeover.
There are two scenarios to exploit this vulnerability on this endpoint:
Exploiting a logged-in doctor
In this report, I have declared how an attacker is able to take over a logged-in doctor's account using this XSS.
Discovering hidden GET parameters are important when we are facing an endpoint, especially with Login and Registration. There are various tools that are capable of finding the hidden parameters. I used Arjun on the
/login.phpendpoint and found the hidden
The value of this parameter is reflected directly into the source code:
Then I realized that XSS is also possible as the proper input validation was not in place.
Steps To Reproduce
- Open the following link and you will be redirected to the attacker's website and your cookies will be sent over as well:
- Here is how it looks after the victim clicks the malformed attacker's URL:
An attacker can use the stolen cookies to takeover various user's accounts including the
- XSS leading to one-click account takeover of various users and admins.
- Implement proper sanitization on the
- Remove/Expire the
drpscookies after logging out.
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.