FirstBlood-#119POST Based Reflected XSS on Login
This issue was discovered on FirstBlood v1

On 2021-05-10, smhtahsin33 Level 3 reported:

Hello, I Found a Reflected XSS on

Steps To Reproduce:

  1. Visit``;
  2. Enter Valid Credentials
  3. Tap on login, and the alert will be popped up.

Impact: Injection of malicious JS code

P3 Medium


Parameter: ?goto=

Payload: javascript:confirm``;

FirstBlood ID: 14
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting