Open Redirect at Doctor Panel

FirstBlood-#831 — Open Redirect at Doctor Panel
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-29, mrrootsec Level 2 reported:


Hello Zseano,Hope you are doing well
Description:
When logging out a doctor, the application does not properly validate the redirection. When the ref parameter value is changed, the application process it without any restrictions.
Steps to Reproduce the issue:


Navigate to https://be6713741795-mrrootsec.a.firstbloodhackers.com/login.php


Login with Valid Credentials as a Doctor


Now Choose securely Signout ,Capture this request into burp-suite and add this payload at ref parameter



The application processed and the response will look like below, Location: google.com



Impact :

As an attacker i can redirect the user to malicious domain and can do malicious things

Remediation / Fix :

When necessary, avoid using user-controllable data in URLs and carefully sanitise it
Sanitize input by creating a list of trusted URLs (Allow only whitelisted approach)
Force all redirects to go through a page that informs users that they are leaving your site.

References :

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Thanks and Regards
MOHAMMAD SAQLAIN

This report has been publicly disclosed for everyone to view

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ?ref

Payload: /%09/google.com

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.

BugBountyHunter

Description:

Steps to Reproduce the issue:

Impact :

Remediation / Fix :

References :