FirstBlood-#1126 — DOM-based XSS on /book-appointment.html can lead to account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird reported:
I hope you're doing well today!
I found a DOM-based XSS vulnerability on
book-appointment.html. This looks like the same cause as the about.html DOM XSS.
Steps to reproduce:
Proof of concept:
1) Spin up firstblood v3 if you haven't already 2) Visit the path PoC above 3) An alert popup should appear with the document's domain
Now, if the user is authenticated, we can easily takeover the doctor's account as cookies are not HTTPOnly. To do so, we could use the following payload to steal and send the cookies back to us:
Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:
For DOM-based XSS vulnerabilities, I recommend to not pass raw user input into DOM sinks without proper validation. Use the
history.pushState()method if you want to redirect a user without them ending up somewhere else or having JS executed in their web browser.
Thanks for hosting such an awesome event again!
Kind regards, 0xblackbird
FirstBlood ID: 46
Vulnerability Type: Reflective XSS