FirstBlood-#343Reflective XSS on login.php via goto parameter after successful login
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

  1. Go to this URL: https://579a3c7897af-panya.a.firstbloodhackers.com/login.php?goto=javascript:confirm%26lpar;origin%26rpar;
  2. Fill in a valid doctor credentials.
  3. Press on the "Secure Login" button.

Actual result:

There will be an alert with the text: "https://579a3c7897af-panya.a.firstbloodhackers.com"

Expected result:

The goto parameter value should be properly escaped or sanitized.

Impact:

An attacker could execute JS code on behalf of a user of this site.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: javascript:confirm%26lpar;origin%26rpar;


FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.