FirstBlood-#120Stored XSS on /drpanel/drapi/query.php?aptid



On 2021-05-10, iffu reported:

Hi zseano

Summary

I have found a Stored XSS vulnerability on /drpanel/drapi/query.php.

When a user wants to request for appointment, he needs to give his details and book appointment on http://firstbloodhackers.com:49361/book-appointment.html. But the input given to this page is reflected on the admin dashboard on /drpanel/drapi/query.php.

Steps to reproduce

  • Insert an XSS payload in the firstname and/or lastname of the appointment form on http://firstbloodhackers.com:49361/book-appointment.html

  • When the admin visits /drpanel/drapi/query.php?aptid={{your_aptid_here}, he will be popped with an alert box indicating XSS payload has fired successfully.

ZSEANO, I can't thank you enough for making this platform so wonderful that learning has become a great joy with an awesome community which comes to help when needed

P2 High

Endpoint: /drpanel/drapi/query.php

Parameter: ***

Payload: <script>confirm`1`</script>


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.