FirstBlood-#1724Doctor params vulnerable to stored XSS
This issue was discovered on FirstBlood v3



On 2022-12-14, pichik Level 4 reported:

Hi,

DESCRITPTION:

I found that new discovered endpoint /api/managedoctors.php from my previous report have params vulnerbale to XSS.
These params are:

  1. name
  2. bio
  3. tagline

There is no filtering nor encoding, so payload is simple as <img src=/ onerror=alert(1)>.

XSS TRIGGERS EXPLAINED - IMPORTANT !!!:

Okay this is more complicated than i tought, so iam going to mention how these XSS are triggering and where.
So /api/managedoctors.php have 3 params - name bio tagline and there are 4 doctors, drid - 1 2 3 4.
We have 6 endpoints where these doctors are shown - /doctors.php /meet_drs.php about.php /drpanel/index.php drpanel/edit-doctor.php?id=[1-4] /manageappointment.php?success&aptid=[id].

Triggers:

  1. Endpoint: /doctors.php Params: name drid: 1 2 3 4
  2. Endpoint: /about.php Params: bio name drid: 3
  3. Endpoint: /meet_drs.php Params: name tagline drid: 1 2 3 4
    Endpoint: /meet_drs.php Params: bio drid: 1 2
  4. Endpoint /drpanel/index.php - not vulnerable
  5. Endpoint drpanel/edit-doctor.php?id=[1-4] - not vulnerable
  6. Endpoint /manageappointment.php?success&aptid=[id] Params: name drid: 1

Hope this make sense.

Here is the request:

PUT /api/managedoctors.php HTTP/1.1
Host: 9f0fae8ab2d6-pichik.a.firstbloodhackers.com

{
"name":"<img src=/ onerror=alert('name2')>",
"bio":"<img src=/ onerror=alert('bio2')>",
"tagline":"<img src=/ onerror=alert('tagline2')>",
"drId":"2"
}

POC LINK:

Here is the endpoint where most of the params will trigger:
https://9f0fae8ab2d6-pichik.a.firstbloodhackers.com/meet_drs.php

POC SCREEN:

Here we can see our payloads nicely reflected:

IMPACT:

Attacker can use this to steal cookies of doctors.

REMEDIATION:

Use html encoding in all user input.

P2 High

Endpoint: /api/managedoctors.php

Parameter: name, bio, tagline

Payload: <img src=/ onerror=alert(1)>


FirstBlood ID: 75
Vulnerability Type: Access_control

An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint

FirstBlood ID: 55
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /doctors.php endpoint via a malicious doctors name

FirstBlood ID: 74
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS via the doctors bio on about.php (doctor ID 3) and meet_drs.php (only doctor ID 1 and 2 are affected)

FirstBlood ID: 56
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /about.php endpoint via a malicious doctors name

FirstBlood ID: 70
Vulnerability Type: Stored XSS

Doctors can have taglines set however the tagline is vulnerable to stored XSS on meet_drs.php

FirstBlood ID: 57
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /manageappointment.php endpoint via a malicious doctors name if the user has booked this specific doctor

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were third to discover bug id 74