I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:
<form action="/admin/login/?param=Whateveryouputhere" method="post" id="login-form">
Actually, you can even omit the “param”, any value after the question mark will still be reflected. the default value for te param is “/next/” btw.
How could an attacker exploit it, especially via XSS? I tried to escape the the quotations but it failed (they are auto-replaced with URL-encodings). Does it mean it is safe?
I have also checked the network tab of the browser, no other relative JS files are loaded except favicon and magnific popup.
Finally, the URL is in the form of site.com/admin/login/?param=value