FirstBlood-#1462Storred XSS with photo in /about endpoint
This issue was discovered on FirstBlood v3

On 2022-12-10, pichik Level 4 reported:



I found that photoUrl is vulnerable to XSS as well in one of the reflected endpoints.
There are two preventions in place against XSS, but unfortunately one can be easily bypassed and second is missing on this endpoint.
XSS needs to be inserted to doctor Jon with drid=3, as he is the only visible doctor on this endpoint.

  1. As photos of doctors are used in few different endpoints, there is encoding of special characters in them, which is missing in /about.php and /meet_drs.php endpoint.
  2. Filter, which is removing < > characters, but we dont really need them, as we are in <img> tag, we just need to get out of src="" attribute and enter onerror="" , to enter XSS payload.

Here is simple alert payload:

Here is the request:

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Cookie: drps=b6818da048e036f61288c2152
Content-Type: application/x-www-form-urlencoded
Content-Length: 91



Here is url, where this XSS will trigger, so as you visit it you should see my XSS, this endpoint will trigger only with xss in drid 3:
Found that this endpoint is vulnerable as well for all drids:



This can be chained with CSRF I already reported, to insert this payload to doctor and all users which visits /about.php or /meet_drs.php will be affected.
And of course impact can be increased as well the same way as my previous XSS, with stealing cookies.


Filter, which is blocking or removing some special characters are never enough, as someone always find a new way to bypass them.
Encodings should be implemented before input is saved to database, not after, as you can see in this example, you may forgot to add encodings to some endpoints.

P2 High

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: /a"onerror="alert(1)

FirstBlood ID: 65
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on about.php via the photo of doctor ID 3

FirstBlood ID: 64
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor

Report Feedback


Creator & Administrator

Congratulations you were second to discover xss on about.php via the photo URL