FirstBlood-#1640Unauthenticated Access to Api Call leads to Stored XSS in the Drivers Name
This issue was discovered on FirstBlood v3

On 2022-12-12, mr_xhunt Level 7 reported:


Fuzzing /api endpoint leaked /api/manageambulances.php endpoint which Can be Accessed by any Unauthed User and Can Modify the data by Sending PUT request.

Steps To Reproduce:

  1. Intercept any request on firstblood and Send it to Repeter
  2. Now Change the endpoint to : /api/manageambulances.php
  3. Now Change the Request method to PUT as POST checks if the user is allowed or not
  4. Now Remove the Content-Type or just make it suitable for JSON payload
  5. Note: you need to create an Appointment with Ambulance enabled and then put the data accordingly, You can get all the data on /api/ambulances.php?select=_YOUR_APPT_ID

  1. Now Add the following Parameters and Send the request the Drivers Data will be changed

  1. Now if we Insert the XSS payload in the driver name

  1. Visit the /appointment.php and Enter the Appointment Assigned, the Stored XSS executes

P2 High

Endpoint: /api/manageambulances.php

Parameter: driver

Payload: <img src=1 onerror=alert(document.cookie)>

FirstBlood ID: 76
Vulnerability Type: Stored XSS

There is a stored XSS vulnerability on /ambulances.php via a malicious drivers name

FirstBlood ID: 73
Vulnerability Type: Stored XSS

The endpoint /api/manageambulances.php will respond to an unauthenticated PUT request which allows an attacker to modify the information