FirstBlood-#273Reflected XSS on /login.php using the GET paramter 'goto'

On 2021-05-15, iffu reported:

Hi zseano


I've found a Reflected Cross Site Scripting Vulnerability on /login.php for the GET parameter 'goto'.

How I found this bug

  • After playing a lot with the endpoints IDORS and business logic bugs, I started searching for XSS.
  • I kept putting simple payloads like "><svg on every url parameter and every input field I found.
  • As a result, I found two Stored XSS.
  • And then, I thought to bruteforce the parameters to know if there are any hidden parameters on the site.
  • I started param miner on burp and after sometime I came to know that there is a hidden parameter "goto" on /login.php.
  • From here on, it's simply bypassing the filters which is very similar to bypassing the filter of already found Stored XSS (getting into developer's head in Zseano's methodology)

Steps to reproduce

  • Visit /login.php
  • Append a parameter goto to the URL with the XSS payload as its value
  • Now refresh the page.
  • You will be popped with an alert box indicating XSS.

Thanks zseano and please let me know if you need any more info regarding this bug

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: iffu"><scr<script>ipt>confirm`1`</scr</script>ipt><"

FirstBlood ID: 2
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.

Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.