FirstBlood-#1613 — Stored XSS leading to account takeover in admin user's dashboard via signing up for hackerback
This issue was discovered on FirstBlood v3
On 2022-12-12, ar6aaz Level 3 reported:
I have come across a Stored XSS vulnerability on FirstBloodv3. The bug exists in the hackerback signup API, and affects the admin user.
Steps to Reproduce:
- When a user signs up for Hackerback, it shows up in the admin user's dashboard as "XYZ has joined the event". This notification has two parameters, name & phone.
- Go to /hackerback.html and click on sign up. Enter details on the form and intercept the request in Burp.
- In Burp, change the value of "phone" parameter to "><svg+onload%3dalert(document.cookie)> and send the request.
- Login to the application using the credentials: admin/admin
The Stored XSS will execute and show the admin's cookie in popup.
Example of cookie extracted below:
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.