FirstBlood-#609Open redirect on /login.php via the goto parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, 0xblackbird Level 5 reported:

Hello! I've found out that the open redirect issue isn't fixed and that an attacker can redirect his/her victim to any other website after login.

Proof of concept url:

https://6927d92c9475-0xblackbird.a.firstbloodhackers.com/login.php?goto=https://example.com

Steps to reproduce:

  • Visit /login.php?goto=https://example.com

  • Next, enter the following test credentials: testdoctor:test (more information in one of my previous report). And click on "SECURE LOGIN".

Escalation:

This issue can be escalated to cross-site scripting. View my other report #607 for more information.

Have a greay day!

Kind regards,
0xblackbird

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: https://example.com


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.

Report Feedback

@zseano

Creator & Administrator


This was a mistake on our behalf (sorry!), and whilst an open redirect is still possible, the intended bug was to achieve XSS from this. We've since made some changes and fixed it