FirstBlood-#737XSS through hidden `goto` parameter on `/login.php`
This issue was discovered on FirstBlood v2

On 2021-10-27, eliee Level 7 reported:


The parameter goto is vulnerable to XSS. Additionally, the parameter carries over when logging in as a doctor.

Steps to reproduce

  1. Visit /login.php?goto="><a/href=javascript:confirm`1`>
  2. Try to click the username field - a confirm dialog should appear showing 1

PoC - steal credentials from login page

Visit /login.php?goto="/type=hidden></form/x><form/action=//><x/a. The link has been fitted with a payload to

  1. Close the input tag we inject into
  2. Close the original form tag on the page
  3. Create a new form tag pointing at a URL we control
  4. Create a random element to hide the leftovers from destroying the hidden input goto that would otherwise display

If we submit our credentials from this page now, the request will go to // instead of the intended /login.php at Firstblood and our server now has a record of the user's credentials. In a real world scenario, a malicious actor would probably forward the victim back to /login.php with the same credentials, thus making the attack much more difficult to spot.

Another payload

  1. Visit
  2. Log in as any doctor
  3. When logged in, an XSS should trigger displaying the cookie


Before logging in

After logging in


Arbitrary JavaScript execution on the login page of doctors and when logging in. Basically, the first payload lets us steal credentials, the second payload lets us hijack the logged in session.


goto should be sanitized before being reflected back to the user, both in the login form on login.php and in the response when logged in after a POST request to login.php.

P2 High

Endpoint: /login.php

This report contains multiple vulnerabilities:

  • Reflective XSS
  • Reflective XSS

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.

FirstBlood ID: 39
Vulnerability Type: Reflective XSS

Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.