FirstBlood-#1283Reflected XSS on /book-appointment.html endpoint in the `redirect url` parameter
This issue was discovered on FirstBlood v3

On 2022-12-09, mr_xhunt Level 8 reported:


I found the endpoint /book-appointment.html used to redirect to /book-appointment.php, so I used the redirect_url parameter found already and with simple js payload got the xss

Steps to Reproduce:

  1. Visit the following link with the payload:


The attacker can leak the users cookie and takeover their account.

Underlying Issue

The parameter redirect_url value is accepted without sanitization.


The parameter value must be sanitized before redirect.

P3 Medium

Endpoint: /book-appointment.html

Parameter: redirect_url

Payload: javascript:alert(document.cookie)

FirstBlood ID: 46
Vulnerability Type: Reflective XSS

The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI