FirstBlood-#454[COLLAB] Reflected XSS via login endpoint
This issue was discovered on FirstBlood v2

On 2021-10-25, amec0e Level 3 reported:

Hi mate,

I was checking over previous reports and I noticed "Patrice" didn't quite patch 1 vulnerability which was the reflected XSS via the goto parameter on the login endpoint. Using near the exact same payload we can achieve a reflected XSS.


A malicious user could use this to execute javascript code on a victims browser to steal session cookies.

Steps to Reproduce:

  • Visit the endpoint /login.php

  • append the following parameter and payload to the URL:

  • Press enter and observe the payload trigger

Best regards,


In Collaboration with thebinarybot

P3 Medium

Endpoint: /login.php

Parameter: ?goto

Payload: ?goto="><scr<script>ipt>confirm`1`</scr<script>ipt>

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.