FirstBlood-#897 — Open redirect vulnerability in the logout function
This issue was discovered on FirstBlood v2
On 2021-10-30, vigilante Level 4 reported:
https://71db6da74f3c-vigilante.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/evil.org
Summary:
It so possible to redirect a user to a malicious website through open redirect vulnerability.
The open redirect didn't work in Firefox but it seems to work in Chrome. It took me a while to figure this out.
Note: This is my report from First Blood V1, the same vulnerability exist, we just need a different payload.
Payload V1:
?ref=/\/\evil.org
Payload V2:
?ref=/%09/evil.org
Description:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. We can control where a user is redirected from FirstBlood. The user doesn't even have to be logged in.
Steps to Reproduce:
- Log in as a doctor and log out.
- Inspect the logout request, we'll see there's a possibility to redirect the user elsewhere, the "?ref=" parameter is present.
- Use this payload "/%09/evil.org" to navigate to an evil domain through FirstBlood redirection.
https://71db6da74f3c-vigilante.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/evil.org
GET /drpanel/logout.php?ref=/%09/yoursite.com HTTP/1.1
Host: 71db6da74f3c-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Impact
An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
Mitigation
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character and isn't followed by another slash character.
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ?ref=
Payload: /%09/evil.org
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09
and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.