FirstBlood-#210Reflective XSS on Register page leading to leak of PII data



On 2021-05-12, xnl-h4ck3r Level 4 reported:

Summary

An XSS vulnerability exists on /register.php that allows an attacker to craft a URL which if clicked by a user can automatically leak the users drps cookie token to the attacker and using this they can access patient PII data. No other user interaction is needed.

The ref parameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g. ref=/\/attacker.com.

Steps to Reproduce

  1. Log in as an admin user.
  2. Click the link http://firstbloodhackers.com:49557/register.php?ref=x%27%20autofocus%20onfocus=alert(document.cookie)%20
  3. Observe the payload fires and displays the cookie:

NOTE: This cookie can be sent to attackers server

  1. Clear all cookies and go to the web app again but do not log in.
  2. Add the cookie shows in Step 3 and go to /drpanel/index.php and observe that you are now logged in as admin and view patient data.

Impact

If an attacker can phish a user to click the link containing the payload, they can view all patient PII data.

P3 Medium

Endpoint: /register.php

Parameter: ref

Payload: x%27%20autofocus%20onfocus=alert(document.cookie)%20


FirstBlood ID: 4
Vulnerability Type: Reflective XSS

The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.


Respect Earnt: 1.5M
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.