FirstBlood-#579 — Reflective XSS on /login.php?goto=
This issue was discovered on FirstBlood v2
On 2021-10-26, th4nu0x0 Level 2 reported:
Hey, I have found a reflective cross-site scripting on
/login.php?goto=which has a potential of steal cookies which can lead to account takeover of higher privilege accounts when the user visits the malicious link.
- Alerts 1:
- To Steal Cookies:
Steps To Reproduce:
- Visit https://your-instance.a.firstbloodhackers.com/login.php?goto="onmouseleave=confirm`1`//
- Move the mouse pointer down towards
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.