FirstBlood-#1138 — Reflected XSS on /doctors.php
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Hi mate!
I found a reflected XSS vulnerability on /doctors.php.
Impact:
I was able to execute javascript code on any user's behalf (as long as they visit my malicious link).
Possible cause:
User input that got passed through the doctor query parameter was not validated or encoded properly.
Steps to reproduce:
Proof of concept: /doctors.php?doctor=2%27-alert(document.domain)//
1) Spin up firstblood v3 if you haven't already
2) Visit the path PoC above
3) An alert popup should appear with the document's domain
4) If you take a look at the source code closely, you can see where user input wasn't handeld correctly:
Mitigation
For reflected and stored XSS vulnerabilities it is always necessary to encode any user input accordingly. Here, the single quote was left unencoded and allowed me to escape the variable context.
Thanks for hosting such an awesome event again!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /doctors.php
Parameter: doctor
Payload: 2'-alert(document.domain)//
FirstBlood ID: 47
Vulnerability Type: Reflective XSS
The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter