FirstBlood-#579Reflective XSS on /login.php?goto=
This issue was discovered on FirstBlood v2

On 2021-10-26, th4nu0x0 Level 2 reported:


Hey, I have found a reflective cross-site scripting on /login.php?goto= which has a potential of steal cookies which can lead to account takeover of higher privilege accounts when the user visits the malicious link.


  • Alerts 1: "onmouseleave=confirm`1`//
  • To Steal Cookies: "onmouseleave="window.location.href=`${document.cookie}`"//

Steps To Reproduce:


An attacker use this vulnerability to inject malicious JavaScript and steal cookies of users.

P3 Medium

Endpoint: /login.php

Parameter: goto

Payload: "onmouseleave=confirm`1`//

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.