Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:
- Stored XSS on user profile page.
It's also possible to make victim browser trigger a click on injected element
if(location.hash.slice(1) == 'report'){
document.getElementById('report-btn').click();