FirstBlood-#420Reflective XSS on login.php
This issue was discovered on FirstBlood v2

On 2021-10-25, shivam18u Level 3 reported:

Hi Sean,

I found a reflective XSS on login.php page using a hidden parameter goto.

By visiting the link`1`%3C/scr%3C/script%3Eipt%3E, the xss can be triggered.

Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E

By using a script stored on a remote server, you can bypass the filters.

This can be used to steal admin's cookies.

Have a nice day!

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: hello%22%3E%3Cscr%3Cscript%3Eipt%3Ealealertrt`1`%3C/scr%3C/script%3Eipt%3E

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.