FirstBlood-#262Open Redirect Vulnerability Observed in the Firstbloodhacker.com
This issue was discovered on FirstBlood v1



On 2021-05-15, netmous3 Level 4 reported:

Description:

Open redirect vulnerability was identified on the logout function of the doctor's login portal in the Firstbloodhacker web application. Logout URL can be crafted to redirect login out doctors to an attacker-controlled website.

Steps To Reproduce:
  1. Log in to the doctor's portal and log out.
  2. Intercept the log-out request using a web proxy and update the request with the payload %5c/{Evil_site_url}.
  3. Submit the request and observe the redirection to the URL used in #2.
Impact:

Impact for Firstbloodhacker.com is minimal as the no cookie values or any other authentication parameters are leak into the attacker. However, this redirection cause to reveal the doctor's portal internal url to the attacker via the referrer header and could use to access the internal resources if authentication cookies leaked.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%5c/{Evil_site_url}


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.