FirstBlood-#1049Reflective XSS in appointment feature
This issue was discovered on FirstBlood v3



On 2022-12-08, ayush1098 Level 8 reported:

Hello Team,

Summary

Endpoint : /book-appointment.html Payload Used : javascript:alert(document.domain)

I have found a Reflected XSS at /book-appointment endpoint. While sending the request to /book-appointment.html, there is a intermediate request and while reading the DOM, we can notice that it is taking a parameter name redirect_url. We can put any arbitary URL in the parameter and it will redirect us to that URL. I have exploited this to reflected XSS.

Steps To Reproduce:

  1. GO to the http://cc0ee1c7497f-ayush1098.a.firstbloodhackers.com/book-appointment.html?redirect_url=javascript:alert(document.domain).

  2. It will alert the domain of the container. We can exploit this to steal cookies of the doctor(still trying to find a way to register)

Note: I mistyped, this is a reflected XSS, not a Stored XSS

Impact:

Cookie Stealing, Session Hijacking etc..

Thanks & Regards

Ayush Singh

P3 Medium

Endpoint: /book-appointment.html

Parameter: return_url

Payload: javascript:alert(document.domain)


FirstBlood ID: 46
Vulnerability Type: Reflective XSS

The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI

Report Feedback

@zseano

Creator & Administrator


Congratulation, you were the second researcher to discover this!