FirstBlood-#189 — Stored Cross site scripting
This issue was discovered on FirstBlood v1
On 2021-05-11, d20s84 Level 3 reported:
Summary: Stored Xss can be triggered on the drAdmin panel while accessing /drpanel/cancelled.php#.
Source of injection : /api/ma.php Sink of injection : /drpanel/cancelled.php#
- Register an appointment by filling in all the required credentials.
- Now, Click on the Manage appointment icon.
- Click on Cancel appointment and capture the request.
- Add message parameter in the body section as shown in the figure below [Consider the Note: section].
- Forward the request.
- Hover the mouse on the patient's name in the /drpanel/cancelled.php endpoint.
- Open the console log and boom the payload has been logged as an array.
Impact : Malicious attacker can steal the cookie and perform other malicious activities on the admin panel.
Note: The extra embedded message parmeter in the body section of the request
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors