FirstBlood-#831 — Open Redirect at Doctor Panel
This issue was discovered on FirstBlood v2
On 2021-10-29, mrrootsec Level 2 reported:
Hello Zseano,Hope you are doing well
When logging out a doctor, the application does not properly validate the redirection. When the ref parameter value is changed, the application process it without any restrictions.
Steps to Reproduce the issue:
Navigate to https://be6713741795-mrrootsec.a.firstbloodhackers.com/login.php
Login with Valid Credentials as a Doctor
Now Choose securely Signout ,Capture this request into burp-suite and add this payload at ref parameter
The application processed and the response will look like below, Location: google.com
- As an attacker i can redirect the user to malicious domain and can do malicious things
Remediation / Fix :
- When necessary, avoid using user-controllable data in URLs and carefully sanitise it
- Sanitize input by creating a list of trusted URLs (Allow only whitelisted approach)
- Force all redirects to go through a page that informs users that they are leaving your site.
Thanks and Regards
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.