FirstBlood-#900Open redirect via goto parameter on /login.php endpoint
This issue was discovered on FirstBlood v2

On 2021-10-30, panya Level 7 reported:

The site contains an open redirect via goto parameter value. I'm not sure that it's not the same as the bug with XSS via javascript: but still...

Steps to reproduce:

  1. Register a doctor account (e.g. with test as username and test as the invitation code).
  2. Visit this URL: https://a21f5a9e902d-panya.a.firstbloodhackers.com/login.php?goto=//google.com
  3. Fill in correct credentials (obtained after successful registration) from step 1 and press on the "Secure Login" button.

Actual result:

The user will be redirected to https://google.com.

Expected result:

The user should not be redirected to https://google.com. The goto parameter value should allow redirecting only to relative paths.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: //google.com

FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.

Report Feedback

@zseano

Creator & Administrator

Hi panya, this was a mistake on our behalf (sorry!), and whilst an open redirect is still possible, the intended bug was to achieve XSS from this. We've since made some changes and fixed it. The parameter is handled in two places, reflected in an input, and then when redirecting. The first (reflected in input) was intended to be left how it is, but the redirect should of been fixed. Sorry for this and the poor experience this may of caused :(