FirstBlood-#609 — Open redirect on /login.php via the goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-26, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I've found out that the open redirect issue isn't fixed and that an attacker can redirect his/her victim to any other website after login.
Proof of concept url:
https://6927d92c9475-0xblackbird.a.firstbloodhackers.com/login.php?goto=https://example.com
Steps to reproduce:
-
Visit /login.php?goto=https://example.com
-
Next, enter the following test credentials: testdoctor:test (more information in one of my previous report). And click on "SECURE LOGIN".
- You'll see that we get redirected to https://example.com
Escalation:
This issue can be escalated to cross-site scripting. View my other report #607 for more information.
Have a greay day!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: https://example.com
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.
Report Feedback
Creator & Administrator
This was a mistake on our behalf (sorry!), and whilst an open redirect is still possible, the intended bug was to achieve XSS from this. We've since made some changes and fixed it