FirstBlood-#842Open Redirect on login.php with goto parameter
This issue was discovered on FirstBlood v2

On 2021-10-29, xnl-h4ck3r Level 4 reported:

I realised I have submitted Report #432 for open redirect on the same endpoint but using the javascript schema. I wasn't completely sure if this open redirect is classed as the same bug, or a separate bug.


There is an open redirect on /login/php using the goto parameter that is not sanitised correctly, allowing an attacker to redirect a user to their site after login has happened. The parameter is also vulnerable to XSS (reported previously) which is more critical, but this is classed as a separate vulnerability.

Steps to reproduce

  1. Go to the endpoint /login.php?goto=// and enter the login details.
  2. Press SECURE LOGIN and observe the user is redirected to a different site.


Although this has lower impact that the XSS vulnerability on the same endpoint and parameter, this needs to be addressed separately. An attacker can craft a login link for a victim that will redirect them to the attackers site once logged in.

P5 Informative

Endpoint: /login/php

Parameter: goto

Payload: //

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback


Creator & Administrator

Hi there, the intended bug for this was actually XSS as the redirect occurs via JS if you check the source and has more impact than the open redirect. You're right it's also vulnerable to open redirect so I won't reject but also won't assign any ID as no XSS demonstrated here :)