FirstBlood-#1138Reflected XSS on /doctors.php
This issue was discovered on FirstBlood v3

On 2022-12-08, 0xblackbird Level 5 reported:


Hi mate!

I found a reflected XSS vulnerability on /doctors.php.


I was able to execute javascript code on any user's behalf (as long as they visit my malicious link).

Possible cause:

User input that got passed through the doctor query parameter was not validated or encoded properly.

Steps to reproduce:

Proof of concept: /doctors.php?doctor=2%27-alert(document.domain)//

1) Spin up firstblood v3 if you haven't already 2) Visit the path PoC above 3) An alert popup should appear with the document's domain

4) If you take a look at the source code closely, you can see where user input wasn't handeld correctly:


For reflected and stored XSS vulnerabilities it is always necessary to encode any user input accordingly. Here, the single quote was left unencoded and allowed me to escape the variable context.

Thanks for hosting such an awesome event again!

Kind regards, 0xblackbird

P3 Medium

Endpoint: /doctors.php

Parameter: doctor

Payload: 2'-alert(document.domain)//

FirstBlood ID: 47
Vulnerability Type: Reflective XSS

The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter