FirstBlood-#454 — [COLLAB] Reflected XSS via login endpoint
This issue was discovered on FirstBlood v2
On 2021-10-25, amec0e Level 3 reported:
Hi mate,
I was checking over previous reports and I noticed "Patrice" didn't quite patch 1 vulnerability which was the reflected XSS via the goto parameter on the login endpoint. Using near the exact same payload we can achieve a reflected XSS.
Impact:
A malicious user could use this to execute javascript code on a victims browser to steal session cookies.
Steps to Reproduce:
-
Visit the endpoint /login.php
-
append the following parameter and payload to the URL:
?goto="><scr<script>ipt>confirm`1`</scr<script>ipt>
-
Press enter and observe the payload trigger
Best regards,
Amec0e.
In Collaboration with thebinarybot
P3 Medium
Endpoint: /login.php
Parameter: ?goto
Payload: ?goto="><scr<script>ipt>confirm`1`</scr<script>ipt>
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.