FirstBlood-#1283Reflected XSS on /book-appointment.html endpoint in the `redirect url` parameter
This issue was discovered on FirstBlood v3



On 2022-12-09, mr_xhunt Level 8 reported:

Summary:

I found the endpoint /book-appointment.html used to redirect to /book-appointment.php, so I used the redirect_url parameter found already and with simple js payload got the xss

Steps to Reproduce:

  1. Visit the following link with the payload: https://7cac14721157-mrxhunt.a.firstbloodhackers.com/book-appointment.html?redirect_url=javascript:alert(document.cookie)

Impact:

The attacker can leak the users cookie and takeover their account.

Underlying Issue

The parameter redirect_url value is accepted without sanitization.

Remediation:

The parameter value must be sanitized before redirect.

P3 Medium

Endpoint: /book-appointment.html

Parameter: redirect_url

Payload: javascript:alert(document.cookie)


FirstBlood ID: 46
Vulnerability Type: Reflective XSS

The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI