FirstBlood-#609 — Open redirect on /login.php via the goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-26, 0xblackbird Level 5 reported:
Hello! I've found out that the open redirect issue isn't fixed and that an attacker can redirect his/her victim to any other website after login.
Proof of concept url:
Steps to reproduce:
Next, enter the following test credentials:
test(more information in one of my previous report). And click on "SECURE LOGIN".
- You'll see that we get redirected to https://example.com
This issue can be escalated to cross-site scripting. View my other report #607 for more information.
Have a greay day!
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.
Creator & Administrator
This was a mistake on our behalf (sorry!), and whilst an open redirect is still possible, the intended bug was to achieve XSS from this. We've since made some changes and fixed it