FirstBlood-#563DOM Based XSS via redirection to javascript uri
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, neolex Level 2 reported:

Description

There is a goto parameter inside login.php webpage that is vulnerable to dom xss via redirection to javascript uri The goto parameter is reflected inside the reponse within

<script>top.location.href="HERE";</script> 

when the user login it is possible to redirect to javascript uri so we can trigger XSS to run javascript.

There is a filter that removes parentheses but we can use backtick instead ` There is also a filter that remove `alert` word but the filter is not recursive so the following payload will work `javascript:aalertlert`xss where the inner alert (inside another alert) will be removed but not the outter alert

Step to reproduce

Fix

You should whitelist the goto payload so it must start with / or http

Impact

The impact is XSS an attacker can execute javascript on behalf on the user, it means they can steal the session cookie of the victim

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: javascript:aalertlert`xss`


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.