FirstBlood-#231 — Stored XSS on Admn API endpoint for querying Appointment
This issue was discovered on FirstBlood v1
On 2021-05-13, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
A stored XSS payload can be entered into the First name or Surname fields on /book-appointment.html that can be fired by an Admin user visiting the query appointment API endpoint directly: /drpanel/drapi/query.php?aptid={APTID}
NOTE: THIS PAYLOAD ONLY WORKS IN FIREFOX AND CHROME BROWSERS
Steps to Reproduce
- Go to
/book-appointment.html and create a new apoointment setting the first name to <marquee onstart=confirm`XSS`>
- Sign is an the admin user.
- Use Burp to proxy traffic.
- On
/drpanel/index.php go to the appointment you made in Step 1 and click on the patients name to display the apppointment details.
- Go to Burps HTTP Histroy and copy the URL of the last GET request to
/drpanel/drapi/query.php. This will be something like /drpanel/drapi/query.php?aptid=56914781 where 56914781 is the appointment ID.
- When youy visit the URL, you will see an alert box displayed showing XSS
Impact
If stored XSS is possible then it can be possible for an attacker to leak the authentication cookie and log in as the admin user. The impact is lower because the victim needs to use Firefox or IE and has to visit the API url directly.
P2 High
Endpoint: /drpanel/drapi/query.php?aptid={APTID}
Parameter: fname, lname
Payload: <marquee onstart=confirm`XSS`>
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name