FirstBlood-#189Stored Cross site scripting
This issue was discovered on FirstBlood v1.0.0



On 2021-05-11, d20s84 Level 3 reported:

Summary: Stored Xss can be triggered on the drAdmin panel while accessing /drpanel/cancelled.php#.

Source of injection : /api/ma.php Sink of injection : /drpanel/cancelled.php#

Steps:

  1. Register an appointment by filling in all the required credentials.
  2. Now, Click on the Manage appointment icon.
  3. Click on Cancel appointment and capture the request.
  4. Add message parameter in the body section as shown in the figure below [Consider the Note: section].
  5. Forward the request.
  6. Hover the mouse on the patient's name in the /drpanel/cancelled.php endpoint.
  7. Open the console log and boom the payload has been logged as an array.

Impact : Malicious attacker can steal the cookie and perform other malicious activities on the admin panel.

Note: The extra embedded message parmeter in the body section of the request

P1 CRITICAL

Endpoint: /api/ma.php

Parameter: message=

Payload: abc"%26quot;%20onpointerenter=console.log`d20s84`>


FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors