FirstBlood-#781The parameter "goto" is vulnerable to XSS on login.php.
This issue was discovered on FirstBlood v2

On 2021-10-28, vigilante Level 4 reported:


There's a reflected XSS vulnerability on /login.php for the GET parameter "goto".

I ran the param miner extension in Burp and it indicated that there's a "goto" parameter.

Identified parameter on goto

Steps to Reproduce:

  1. Visit /login.php
  2. Add the ?goto= parameter with the following payload. test"><scr<script>ipt>confirm1</scr</script>ipt><"

The word "script" by itself is filtered, that's why we are using "<scr<script>ipt>".

The full url is:"><scr<script>ipt>confirm1</scr</script>ipt>

  1. After visiting the url the XSS pop-up will show up.


We are able to execute javascript in the victims browser.

P3 Medium

Endpoint: /login.php

Parameter: ?goto=

Payload: test"><scr<script>ipt>confirm`1`</scr</script>ipt>

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.