FirstBlood-#1049 — Reflective XSS in appointment feature
This issue was discovered on FirstBlood v3
On 2022-12-08, ayush1098 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Team,
Summary
Endpoint : /book-appointment.html
Payload Used : javascript:alert(document.domain)
I have found a Reflected XSS at /book-appointment endpoint. While sending the request to /book-appointment.html, there is a intermediate request and while reading the DOM, we can notice that it is taking a parameter name redirect_url. We can put any arbitary URL in the parameter and it will redirect us to that URL. I have exploited this to reflected XSS.
Steps To Reproduce:
-
GO to the http://cc0ee1c7497f-ayush1098.a.firstbloodhackers.com/book-appointment.html?redirect_url=javascript:alert(document.domain).
-
It will alert the domain of the container. We can exploit this to steal cookies of the doctor(still trying to find a way to register)
Note: I mistyped, this is a reflected XSS, not a Stored XSS
Impact:
Cookie Stealing, Session Hijacking etc..
Thanks & Regards
Ayush Singh
P3 Medium
Endpoint: /book-appointment.html
Parameter: return_url
Payload: javascript:alert(document.domain)
FirstBlood ID: 46
Vulnerability Type: Reflective XSS
The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI
Report Feedback
Creator & Administrator
Congratulation, you were the second researcher to discover this!