FirstBlood-#1637 — Unauthenticated Modification of the Doctors Data via New Api Call
This issue was discovered on FirstBlood v3
On 2022-12-12, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Leads to Stored XSS in Bio of doctor on /about.php endpoint [Added ]
Fuzzing /api endpoint leaked /api/managedoctors.php endpoint which Can be Accessed by any Unauthed User and Can Modify the data by Sending PUT request.
Steps to Reproduce:
- Intercept any request on firstblood and Send it to Repeter
- Now Change the endpoint to :
/api/managedoctors.php
- Now Change the Request method to
PUT as POST checks if the user is allowed or not
- Now
Remove the Content-Type or just make it suitable for JSON payload
- Now Add the following Parameters and Send the request the Doctors Data will be changed
- Again Send the same request with the XSS Payload in the bio [
note the drId must be 3 as the XSS is present on /about.php]
- Now Visit
/about.php endpoint:
P2 High
Endpoint: /api/managedoctors.php
Parameter: bio
Payload: <svg/onload=alert(document.domain)>
FirstBlood ID: 75
Vulnerability Type: Access_control
An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint
FirstBlood ID: 74
Vulnerability Type: Stored XSS
It is possible to achieve stored XSS via the doctors bio on about.php (doctor ID 3) and meet_drs.php (only doctor ID 1 and 2 are affected)