FirstBlood-#1135 — Reflected XSS at about.html
This issue was discovered on FirstBlood v3
On 2022-12-08, ayush1098 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Team,
Summary
Endpoint : /about.html
Payload Used : javascript:alert(document.cookie)
I have found a Reflected XSS at /about.html endpoint. While sending the request to /about.html, there is a intermediate request and while reading the DOM, we can notice that it is taking a parameter name return_url. We can put any arbitary URL in the parameter and it will redirect us to that URL. I have exploited this to reflected XSS.
Steps To Reproduce:
-
GO to the http://cc0ee1c7497f-ayush1098.a.firstbloodhackers.com/about.html?redirect_url=javascript:alert(document.domain).
-
It will alert the domain of the container. We can exploit this to steal cookies of the doctor(still trying to find a way to register)
Impact:
Cookie Stealing, Session Hijacking etc..
Thanks & Regards
Ayush Singh
P3 Medium
Endpoint: /about.html
Parameter: return_url
Payload: NA
FirstBlood ID: 45
Vulnerability Type: Reflective XSS
The endpoint about.php was introduced to replace about.html, but code on about.html introduces an XSS vulnerability via the javascript: URI