FirstBlood-#454[COLLAB] Reflected XSS via login endpoint
This issue was discovered on FirstBlood v2



On 2021-10-25, amec0e Level 3 reported:

Hi mate,

I was checking over previous reports and I noticed "Patrice" didn't quite patch 1 vulnerability which was the reflected XSS via the goto parameter on the login endpoint. Using near the exact same payload we can achieve a reflected XSS.

Impact:

A malicious user could use this to execute javascript code on a victims browser to steal session cookies.

Steps to Reproduce:

  • Visit the endpoint /login.php

  • append the following parameter and payload to the URL:

    ?goto="><scr<script>ipt>confirm`1`</scr<script>ipt>
  • Press enter and observe the payload trigger

Best regards,

Amec0e.

In Collaboration with thebinarybot

P3 Medium

Endpoint: /login.php

Parameter: ?goto

Payload: ?goto="><scr<script>ipt>confirm`1`</scr<script>ipt>


FirstBlood ID: 26
Vulnerability Type: Reflective XSS

The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (ID 39), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.