1

I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:

<form action="/admin/login/?param=Whateveryouputhere" method="post" id="login-form">

Actually, you can even omit the "param", any value after the question mark will still be reflected. the default value for te param is "/next/" btw.

How could an attacker exploit it, especially via XSS? I tried to escape the the quotations but it failed (they are auto-replaced with URL-encodings). Does it mean it is safe?

I have also checked the network tab of the browser, no other relative JS files are loaded except favicon and magnific popup.

Finally, the URL is in the form of site.com/admin/login/?param=value

GunG
  • 11
  • 1
  • Hi, it depends on how the param is used on the resulting page. Check how (or if at all) the 'param' gets processed on the resulting page via javascript. – Martin Fürholz May 10 '20 at 22:31
  • Hi @MartinFürholz ,in addition to what I posted, there is also another field on the resulting page which is: ` ` and that's all, this part seems to be static though. – GunG May 10 '20 at 22:37

1 Answers1

1

Unfortunately since it is prepending a path, there's not much which can be done if you can't escape from the tag. If you had FULL control over the input to the action parameter, then it'd be a different story.

You could achieve XSS here by injecting javascript URI. Here's an example:

javascript:alert(document.cookie);

Here's an example code snippet to test it (PoC):

<form action="javascript:alert(document.cookie);" method="POST">
<input type="submit">
</form>

Tested it on my website and got an alert. It should also execute in context, as the javascript URI usually does.

Cillian Collins
  • 222
  • 1
  • 4