FirstBlood-#210 — Reflective XSS on Register page leading to leak of PII data
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-12, xnl-h4ck3r reported:
An XSS vulnerability exists on
/register.php that allows an attacker to craft a URL which if clicked by a user can automatically leak the users
drps cookie token to the attacker and using this they can access patient PII data. No other user interaction is needed.
ref parameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g.
Steps to Reproduce
- Log in as an admin user.
- Click the link
- Observe the payload fires and displays the cookie:
NOTE: This cookie can be sent to attackers server
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.php and observe that you are now logged in as admin and view patient data.
If an attacker can phish a user to click the link containing the payload, they can view all patient PII data.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 4
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.