FirstBlood-#1002XSS on /api/ambulances.php?select=
This issue was discovered on FirstBlood v3

On 2022-12-08, properlay Level 7 reported:

Hello, I found a XSS vulnerability on /api/ambulances.php?select=.

When making a book Appointment, First name and last name are vulnerable to XSS.

To reproduce:

  1. When making a book Appointment, Burp suite intercept ON

  2. Fill all the require info and click Book Appointment.

  3. On the intercept request, change first name ( fname ) value to fname=test<img+src=x+onerror=alert(0)>

  4. And add this parameter ambulance=1 in the request to enabled for ambulance.

The intercept request like

POST /api/ba.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 73412-7048-28167
Content-Length: 198
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

  1. Forward the request and copy your AppointmentID. ( My AppointmentID is 5343f452-5a7d-424a-abc4-87f2063ccdc6 )

  2. Then visit ( you need to add your ID)

  3. You will see XSS executes.

P2 High

FirstBlood ID: 53
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set

Report Feedback


Creator & Administrator

Congratulations you were the first to discover this bug! Great work.