FirstBlood-#119POST Based Reflected XSS on Login



On 2021-05-10, smhtahsin33 reported:

Hello, I Found a Reflected XSS on http://firstbloodhackers.com:49394/login.php?action=login.

Steps To Reproduce:

  1. Visit http://firstbloodhackers.com:49394/login.php?goto=javascript:confirm``;
  2. Enter Valid Credentials
  3. Tap on login, and the alert will be popped up.

Impact: Injection of malicious JS code

P3 Medium

Endpoint: http://firstbloodhackers.com:49394/login.php?action=login

Parameter: ?goto=

Payload: javascript:confirm``;


FirstBlood ID: 14
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.