FirstBlood-#119POST Based Reflected XSS on Login
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, smhtahsin33 Level 3 reported:

Hello, I Found a Reflected XSS on http://firstbloodhackers.com:49394/login.php?action=login.

Steps To Reproduce:

  1. Visit http://firstbloodhackers.com:49394/login.php?goto=javascript:confirm``;
  2. Enter Valid Credentials
  3. Tap on login, and the alert will be popped up.

Impact: Injection of malicious JS code

P3 Medium

Endpoint: http://firstbloodhackers.com:49394/login.php?action=login

Parameter: ?goto=

Payload: javascript:confirm``;


FirstBlood ID: 14
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting