FirstBlood-#613 — [COLLAB] Can register as a doctor and steal token upon login.
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, amec0e Level 3 reported:
I found that on the
register.phpendpoint we can register as a new doctor using a inviteCode with the value
test, registering as a new doctor and then clicking on a link to the login page from a malicious user, upon the doctor logging via the endpoint
login.phpthey will be sent to our ngrok address where we can steal their
drps=token via the parameter
gotoon the login endpoint.
A user can register as a doctor using the
inviteCode=testthen following a link from a malicious user we can steal the doctors
drps=token because of the lack of a
httponlyflag on the
Steps to Reproduce:
- Visit the endpoint
- Enter a username and in the invite code use
- Click register and you will now be given credentials.
- Click "Continue to login"
- Start our Ngrok server.
- Append the following parameter to the login URL:
- Replace your ngrok address in the payload and Press "Enter"
- Now login with your new credentials and you will be redirected to your ngrok address.
NOTE: You will receive a error and maybe a 404 this is normal.
You will now see the token has been leaked to our ngrok address.
In Collaboration with thebinarybot
P2 HighThis bug makes use of the following vulnerabilities in a chain:
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.