FirstBlood-#842 — Open Redirect on login.php with goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-29, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
I realised I have submitted Report #432 for open redirect on the same endpoint but using the javascript schema. I wasn't completely sure if this open redirect is classed as the same bug, or a separate bug.
Summary
There is an open redirect on /login/php using the goto parameter that is not sanitised correctly, allowing an attacker to redirect a user to their site after login has happened.
The parameter is also vulnerable to XSS (reported previously) which is more critical, but this is classed as a separate vulnerability.
Steps to reproduce
- Go to the endpoint
/login.php?goto=//attacker.com and enter the login details.
- Press SECURE LOGIN and observe the user is redirected to a different site.
Impact
Although this has lower impact that the XSS vulnerability on the same endpoint and parameter, this needs to be addressed separately. An attacker can craft a login link for a victim that will redirect them to the attackers site once logged in.
P5 Informative
Endpoint: /login/php
Parameter: goto
Payload: //attacker.com
Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.
Report Feedback
Creator & Administrator
Hi there, the intended bug for this was actually XSS as the redirect occurs via JS if you check the source and has more impact than the open redirect. You're right it's also vulnerable to open redirect so I won't reject but also won't assign any ID as no XSS demonstrated here :)