FirstBlood-#1772 — Stored XSS on ambulances.php
This issue was discovered on FirstBlood v3
On 2022-12-15, veshraj Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
I have discovered a XSS vulnerability affecting the endpoint 'api/ambulances' in the parameter 'select'. The payload requires no filter bypass and is a simple, <img src=x onerror=alert(1)>
You can see a working proof of concept here:
To reproduce:
-
Create an appointment via /book-appointment.php with xss payload on fname and ambulance parameter set to true. (note that there is front end validation on fname parameter which we can bypass by intercepting and changing the value from burp)
-
Now, after step 1, you will get unique AppointmentID which you can use on following URL with select parameter:
https://129454321552-veshraj.a.firstbloodhackers.com/api/ambulances.php?select=<AppointmentID>
You can see that it executes the XSS.
Payload used:"><img src=x onerror=alert(1)>
Impact:
As the session cookies are not protected by HTTPOnly, we can obtain these and achieve account takeover. As well as this, the CSRF token is stored in the DOM which enables us to easily perform actions on behalf of the user.
P2 High
Endpoint: /api/ambulances.php
Parameter: select
Payload: n/a
FirstBlood ID: 53
Vulnerability Type: Stored XSS
It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set