FirstBlood-#317 — [COLLAB with isitbug] Reflected XSS bypassed
This issue was discovered on FirstBlood v2
On 2021-10-25, shreky Level 4 reported:
Summary
This bug wasn't even patched,come on dev team :D.The previous XSS bug on /login.php using the hidden parameter goto
is still not patched,we can use the payload "><scr<script>ipt>confirm`1`</scr</script>ipt>
and the script will execute.Apart from this,since the goto
parameter is used as a redirect,we can also make use of javascript URIs by doing javascript:confirm`1`
and upon entering valid credentials and clicking on Secure Login the alert box will pop up.
Steps to reproduce
- Visit
/login.php?goto="><scr<script>ipt>confirm`1`</scr</script>ipt>
1a. Or /login.php?goto=javascript:confirm`1`
- Alert pops
2a. Once you input valid credentials and click on SECURE LOGIN the alert will pop
Impact
Reflected XSS that executes without user input AND through javascript URIs when the victim proceeds to login.
XSS PoC through first method-->
XSS through javascript URI (logging in after entering valid creds)-->
P3 Medium
Endpoint: /login.php
This report contains multiple vulnerabilities:
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.