FirstBlood-#1146Reflected XSS on https://a939f6568e92-mrxhunt.a.firstbloodhackers.com/doctors.php
This issue was discovered on FirstBlood v3



On 2022-12-08, mr_xhunt Level 8 reported:

I have found Reflected XSS on doctors.php endpoint in the parameter doctor with a very simple xss payload

Steps to Reproduce:

  1. You need to visit the following link: https://a939f6568e92-mrxhunt.a.firstbloodhackers.com/doctors.php?doctor=%27-alert(document.location)-%27
  2. The XSS will popup and can be used to leak the Cookies of the Authenticated users

Underlying Issue:

The value of doctor parameter is directly inserted in the javascript code without being sanitized first, thus ' closes the js variable value and then we insert our own alert command and can easily leak the Cookie of the users

Remeditation:

The value must be sanitized first with proper escaping.

P3 Medium

Endpoint: /doctors.php

Parameter: doctor

Payload: %27-alert(document.location)-%27


FirstBlood ID: 47
Vulnerability Type: Reflective XSS

The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter