FirstBlood-#628 — Reflected XSS on Login.php goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-26, sumyth Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi,
Please find a brief description of the vulnerability below,
Summary
On the login.php page on firstblood.com, there exists a reflected XSS vulnerability which can be used to execute arbitrary JavaScript payloads.
Steps to Reproduce:
- Visit the vulnerable endpoint. Add the 'goto=' parameter to the URL along with payload and send the request to server.
- Enter a valid username/password combo and click on 'secure login'. Observe that the server responds back with JavaScript payload getting executed in the next page.
Impact
Reflected XSS present in the GET parameter of login URL can allow an attacker to run malicious JavaScript on victim's browser which can lead to unintended re-directs, phishing attacks etc.
P3 Medium
Endpoint: login.php
Parameter: goto
Payload: javascript:confirm%25%32%38document.location%25%32%39;
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.