FirstBlood-#273Reflected XSS on /login.php using the GET paramter 'goto'
This issue was discovered on FirstBlood v1

On 2021-05-15, iffu Level 5 reported:

Hi zseano


I've found a Reflected Cross Site Scripting Vulnerability on /login.php for the GET parameter 'goto'.

How I found this bug

  • After playing a lot with the endpoints IDORS and business logic bugs, I started searching for XSS.
  • I kept putting simple payloads like "><svg on every url parameter and every input field I found.
  • As a result, I found two Stored XSS.
  • And then, I thought to bruteforce the parameters to know if there are any hidden parameters on the site.
  • I started param miner on burp and after sometime I came to know that there is a hidden parameter "goto" on /login.php.
  • From here on, it's simply bypassing the filters which is very similar to bypassing the filter of already found Stored XSS (getting into developer's head in Zseano's methodology)

Steps to reproduce

  • Visit /login.php
  • Append a parameter goto to the URL with the XSS payload as its value
  • Now refresh the page.
  • You will be popped with an alert box indicating XSS.

Thanks zseano and please let me know if you need any more info regarding this bug

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: iffu"><scr<script>ipt>confirm`1`</scr</script>ipt><"

FirstBlood ID: 2
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.