DOM Based XSS via redirection to javascript uri

FirstBlood-#563 — DOM Based XSS via redirection to javascript uri
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-26, neolex Level 2 reported:


Description
There is a goto parameter inside login.php webpage that is vulnerable to dom xss via redirection to javascript uri
The goto parameter is reflected inside the reponse within 
<script>top.location.href="HERE";</script> 
when the user login
it is possible to redirect to javascript uri so we can trigger XSS to run javascript.
There is a filter that removes parentheses but we can use backtick instead ` There is also a filter that remove `alert` word but the filter is not recursive so the following payload will work `javascript:aalertlert`xss where the inner alert (inside another alert) will be removed but not the outter alert
Step to reproduce

open the following url https://8745a5db48cf-neolex.a.firstbloodhackers.com/login.php?action=login&goto=javascript:aalertlert`xss`
log in to your account
You will see the alert box showing up , javascript is executed


Fix
You should whitelist the goto payload so it must start with / or http
Impact
The impact is XSS an attacker can execute javascript on behalf on the user, it means they can steal the session cookie of the victim

This report has been publicly disclosed for everyone to view

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: javascript:aalertlert`xss`

FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.

BugBountyHunter

Description

Step to reproduce

Fix

Impact