This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, holybugx reported:
Reflected XSS on
/login.phpis possible through the hidden
gotoparameter, which leads to various user's account takeover.
This vulnerability makes use of the
There are two scenarios to exploit this vulnerability on this endpoint:
Exploiting a not logged-in doctor
drpscookies and take over their accounts after their login.
Discovering hidden GET parameters are important when we are facing an endpoint, especially with Login and Registration. There are various tools that are capable of finding the hidden parameters. I used Arjun on the
/login.phpendpoint and found the hidden
The value of this parameter is reflected directly into the source code:
Then I realized that XSS is also possible as proper input validation was not in place.
Steps To Reproduce
- Open the following URL and log in using a doctor's account:
- After providing the credentials, you will be redirected to the attacker's server and your cookies will be sent over as well:
An attacker can use the stolen cookies to takeover various user's accounts including the
- XSS leading to one-click account takeover of various users and admins.
- Implement proper sanitization on the
- Implement proper filtering of the
- Remove/Expire the
drpscookies after logging out.
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.