FirstBlood-#1319 — Blind xss on FirstBloodHackers INTERNAL ADMIN PANEL
This issue was discovered on FirstBlood v3
On 2022-12-09, didsec Level 5 reported:
I found that the internal admin page is vulnerable to a blind xss via login attempts on login.php
To reproduce :
- Go to the login page
- Enter payload in the username and password fields
- Click login
An attacker is able to access critical information from the admin panel.
XSS Hunter report below
URL The URL of the page the payload fired on. `https://firstblood-helper.com/login_attempts.php?id=683` --- IP Address Remote IP address of the victim. `184.108.40.206` --- Referer Referring page for the vulnerable page. `https://firstblood-helper.com/login_attempts.php` --- User-Agent Web browser of the victim. `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/220.127.116.11 Safari/537.36` --- Cookies Non-HTTPOnly cookies of the victim. _None_ --- Title Vulnerable page's title. `FirstBloodHackers INTERNAL ADMIN PANEL` --- DOM/HTML Rendered DOM of the vulnerable page. #### Page HTML too large to display inline, please use one of the options below. --- Text Text of the vulnerable page. 1 Logged in as 2 ADMINISTRATOR-SEAN 3 4 Home 5 6 Login Attempts 7 8 INTERNAL USE ONLY 9 Managing FirstBlood Login Attempts 10 The login attempt below was flagged as being potentially malicious. 11 ID Username Date Actions 12 683 "> --- Origin HTTP origin of the vulnerable page. `https://firstblood-helper.com` --- Browser Time Reported time according to the victim's browser. `Friday, December 9th 2022, 10:38:55 am (_1670582335223_)` --- Other Other miscellaneous information. Fired in iFrame?: `false` Vulnerability enumerated `Friday, December 9th 2022, 10:38:57 am` Report ID: `11b4d0bb-58d4-4a76-be70-8431fe4be1e0`
FirstBlood ID: 72
Vulnerability Type: Stored XSS
Login attempts were logged on an internal panel on firstblood-helper.com and the username is vulnerable to blind XSS affecting FirstBlood staff
Creator & Administrator
CONGRATULATIONS, you were the first user to discover this bug based on login IDs. (although you were NOT the first to report it, I have concerns that some users modified earlier reports). You have won yourself a LIMITED edition BugBountyHunter HAT and a bounty. WELL DONE!!!