FirstBlood-#274Open Redirect on /login.php via goto body parameter
This issue was discovered on FirstBlood v1

On 2021-05-15, iffu Level 5 reported:

Hi zseano


I've found an Open Redirection Vulnerability on /login.php via the body parameter 'goto'

Steps to Reproduce

  • Visit /login.php
  • Give your credentials and login.
  • Capture this request in burp.
  • Now add one more body parameter goto to the request with the attacker controlled site as the value to the parameter.
  • This is being reflected in top.location.href in the body.
  • Now you will be redirected to attacker controlled domain.


  • The attacker can put a legitimately looking phishing page with a login and trick the user into putting his credentials and stealing them.

Thanks zseano and please let me know if you need any more info regarding this bug

P4 Low

Endpoint: /login.php

Parameter: goto


FirstBlood ID: 2
Vulnerability Type: Reflective XSS

The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug.

Report Feedback


Creator & Administrator

Hi iffu, there is actually an XSS bug here which has more impact and was the intended bug here :) you will be able to see disclosed reports on this soon, and i'm triaging it as the xss bug to categorise it with it