FirstBlood-#900 — Open redirect via goto parameter on /login.php endpoint
This issue was discovered on FirstBlood v2
On 2021-10-30, panya Level 7 reported:
The site contains an open redirect via goto
parameter value. I'm not sure that it's not the same as the bug with XSS via javascript:
but still...
Steps to reproduce:
- Register a doctor account (e.g. with
test
as username and test
as the invitation code).
- Visit this URL: https://a21f5a9e902d-panya.a.firstbloodhackers.com/login.php?goto=//google.com
- Fill in correct credentials (obtained after successful registration) from step 1 and press on the "Secure Login" button.
Actual result:
The user will be redirected to https://google.com.
Expected result:
The user should not be redirected to https://google.com. The goto
parameter value should allow redirecting only to relative paths.
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: //google.com
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug
ID 26
because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.
Creator & Administrator
Hi panya, this was a mistake on our behalf (sorry!), and whilst an open redirect is still possible, the intended bug was to achieve XSS from this. We've since made some changes and fixed it. The parameter is handled in two places, reflected in an input, and then when redirecting. The first (reflected in input) was intended to be left how it is, but the redirect should of been fixed. Sorry for this and the poor experience this may of caused :(