FirstBlood-#119POST Based Reflected XSS on Login

On 2021-05-10, smhtahsin33 reported:

Hello, I Found a Reflected XSS on

Steps To Reproduce:

  1. Visit``;
  2. Enter Valid Credentials
  3. Tap on login, and the alert will be popped up.

Impact: Injection of malicious JS code

P3 Medium


Parameter: ?goto=

Payload: javascript:confirm``;

FirstBlood ID: 14
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting

Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.