FirstBlood-#1335 — Stored XSS to account takeover of doctors
This issue was discovered on FirstBlood v3
On 2022-12-09, pichik Level 4 reported:
Joining event function is vulnerable to XSS in phone number parameter.
If you visit https://aab6a2a97295-pichik.a.firstbloodhackers.com/hackerback.html you can join the event by submiting your name and phone.
phoneparameter have weak - client side only protection, which check if value is just number. You can bypass this by intercepting request with burp and change payload there.
Here is simple alert payload:
POST /api/hackerback.php HTTP/1.1 Host: aab6a2a97295-pichik.a.firstbloodhackers.com Cookie: drps=35187c4f3abda278280e775d6 Upgrade-Insecure-Requests: 1 Origin: https://aab6a2a97295-pichik.a.firstbloodhackers.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/220.127.116.11 Safari/537.36 full_name=hellothere&phone="><script>alert(1)</script>&submit=Signup
Attacker can use payload like this:
to redirect doctors to his site and steal their cookies, by appending them to the url.
Cookies are missing
httponlyflag, which allows them to be accessed from the script.
To trigger this XSS, Doctors just need to visit:
which is main endpoint for doctors, so after loggin in every doctor is affected.
Attacker can take over any doctor that logs in.
There is only clientside check, if phone parameter is number only, which can be easily bypassed with proxy, so by adding additional serverside check should fix this issue.
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.