FirstBlood-#892 — Reflected XSS on the login form in the goto parameter
This issue was discovered on FirstBlood v2
On 2021-10-30, vigilante Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
There's a reflected XSS vulnerability on POST /login.php?action=login with the "goto" parameter.
I ran the param miner extension in Burp and it indicated that there's a "goto" parameter.
Identified parameter on 71db6da74f3c-vigilante.a.firstbloodhackers.com: goto
Steps to Reproduce:
- Visit /login.php?goto=javascript:confirm
123
- Enter valid credentials to log in.
- After pressing the "Secure Login" button, our XSS payload will execute.
Impact
We are able to execute javascript in the victims browser.
P3 Medium
Endpoint: /login.php
Parameter: ?goto=
Payload: javascript:confirm`123`
FirstBlood ID: 39
Vulnerability Type: Reflective XSS
Our mistake: The parameter "goto" on login.php should of been "fixed" when redirecting to prevent XSS but due to an oversight from Sean and Karl, the new code did not make it into production. This has since updated since the event ended and you're recommended to re-try. It's related to bug ID 26 because the idea was developers fixed *this* one (when redirecting) but forgot the other reflection.