FirstBlood-#791 — Reflective XSS on Login page using the hidden "goto" parameter
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r reported:
A reflected XSS vulnerability exists on
/login.phpusing the hidden
There is a reflected XSS on the
/login.phpendpoint using the hidden
gotoparameter, which leads to account takeover.
Steps to reproduce
gotoparamater was a hidden parameter found in Version 1. When used on the
login.phpendpoint it is reflected in the HTML source code:
- Go to
/login.phpand log in as an existing user.
- Go to the following endpoint and observe that the XSS payload redirects the user to an attackers site and leaks the cookies in the URL:
An attacker can craft a malicious link to send to a user. If the user is already aythenitcated, the link can send the users cookies to the attacker via an open redirect and then take over the users account.
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.