FirstBlood-#831Open Redirect at Doctor Panel
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, mrrootsec Level 2 reported:

Hello Zseano,Hope you are doing well

Description:

When logging out a doctor, the application does not properly validate the redirection. When the ref parameter value is changed, the application process it without any restrictions.

Steps to Reproduce the issue:

  1. Navigate to https://be6713741795-mrrootsec.a.firstbloodhackers.com/login.php

  2. Login with Valid Credentials as a Doctor

  3. Now Choose securely Signout ,Capture this request into burp-suite and add this payload at ref parameter

  4. The application processed and the response will look like below, Location: google.com

Impact :

  1. As an attacker i can redirect the user to malicious domain and can do malicious things

Remediation / Fix :

  1. When necessary, avoid using user-controllable data in URLs and carefully sanitise it
  2. Sanitize input by creating a list of trusted URLs (Allow only whitelisted approach)
  3. Force all redirects to go through a page that informs users that they are leaving your site.

References :

  1. https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Thanks and Regards

MOHAMMAD SAQLAIN

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ?ref

Payload: /%09/google.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.