FirstBlood-#210 — Reflective XSS on Register page leading to leak of PII data
On 2021-05-12, xnl-h4ck3r reported:
An XSS vulnerability exists on
/register.phpthat allows an attacker to craft a URL which if clicked by a user can automatically leak the users
drpscookie token to the attacker and using this they can access patient PII data. No other user interaction is needed.
refparameter can be used to display a Return to previous page link. The href attribute of the link is vulnerable to XSS and can also be used as an Open Redirect, e.g.
Steps to Reproduce
- Log in as an admin user.
- Click the link
- Observe the payload fires and displays the cookie:
NOTE: This cookie can be sent to attackers server
- Clear all cookies and go to the web app again but do not log in.
- Add the cookie shows in Step 3 and go to
/drpanel/index.phpand observe that you are now logged in as admin and view patient data.
If an attacker can phish a user to click the link containing the payload, they can view all patient PII data.
FirstBlood ID: 4
Vulnerability Type: Reflective XSS
The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes.