FirstBlood-#1148 — Stored xss in HackerBack sign up phone number to Account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, didsec Level 5 reported:
I have discovered a stored XSS vulnerability affecting the HackerBack sign up allowing for the retravel of the users cookie that is not using HTTP_ONLY
- Click the
- Add any name and phone number
sign upand intercept the request
- replace the
phonevalue with the payload
- forward the request
When a user views the drpanel the users drps cookie will be sent to your ngrok server
- The attacker can steal the cookie from whoever views the page allowing a account takeover.
- The attacker can steal data from whoever views the page.
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.