FirstBlood-#1552Stored XSS in ambulance driver
This issue was discovered on FirstBlood v3

On 2022-12-11, pichik Level 4 reported:



Found that driver in ambulance is vulnerable to XSS.
As /api/manageambulances.php endpoint is publicly editable attacker can use this to insert XSS in them.

There is no filtering in place so payload is simple as: <svg onload=alert(document.domain)>

Here is POST request:

PUT /api/manageambulances.php HTTP/1.1
Content-Length: 138

"driver":"<svg onload=alert(document.domain)>",

XSS is triggered when user visit his appointment with affected ambulance.
ID of ambulance is possible to get from /api/ambulances.php?select=all, which I reported before


I used <body onload=''> for this demonstration.


Attacker can chain more vulnerabilities to insret XSS to ambulance drivers and steal cookies of doctors.


Apply html encoding for all user inputs

P2 High

Endpoint: /api/manageambulances.php

Parameter: driver

Payload: <svg onload=alert(document.domain)>

FirstBlood ID: 76
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on /ambulances.php via a malicious drivers name

FirstBlood ID: 73
Vulnerability Type: Stored XSS

The endpoint /api/manageambulances.php will respond to an unauthenticated PUT request which allows an attacker to modify the information