FirstBlood-#120 — Stored XSS on /drpanel/drapi/query.php?aptid
This issue was discovered on FirstBlood v1
On 2021-05-10, iffu Level 5 reported:
Hi zseano
Summary
I have found a Stored XSS vulnerability on /drpanel/drapi/query.php.
When a user wants to request for appointment, he needs to give his details and book appointment on http://firstbloodhackers.com:49361/book-appointment.html. But the input given to this page is reflected on the admin dashboard on /drpanel/drapi/query.php.
Steps to reproduce
-
Insert an XSS payload in the firstname and/or lastname of the appointment form on http://firstbloodhackers.com:49361/book-appointment.html
-
When the admin visits /drpanel/drapi/query.php?aptid={{your_aptid_here}, he will be popped with an alert box indicating XSS payload has fired successfully.
ZSEANO, I can't thank you enough for making this platform so wonderful that learning has become a great joy with an awesome community which comes to help when needed
P2 High
Endpoint: /drpanel/drapi/query.php
Parameter: ***
Payload: <script>confirm`1`</script>
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name