FirstBlood-#1571Blind XSS on Internal Adminstrator dashboard
This issue was discovered on FirstBlood v3

On 2022-12-11, mr_xhunt Level 8 reported:


Since on /login.php it was mentioned Attempts to login will be logged. thus While Spraying the XSS payload randomly, found the blind XSS in the username parameter on the

Steps to Reproduce:

  1. Visit the /login.php endpoint
  2. In the username enter the payload: "><script src=></script> and hit Login
  3. Wait for few hrs, when the admin actually visit the page the payload is executed
  4. Blind XSS executed and POC can be seen on XSSHUNTER:


Endpoint: /login_attempts.php

Parameter: username

Payload: "><script src=></script>

FirstBlood ID: 72
Vulnerability Type: Stored XSS

Login attempts were logged on an internal panel on and the username is vulnerable to blind XSS affecting FirstBlood staff