FirstBlood-#231Stored XSS on Admn API endpoint for querying Appointment



On 2021-05-13, xnl-h4ck3r reported:

Summary

A stored XSS payload can be entered into the First name or Surname fields on /book-appointment.html that can be fired by an Admin user visiting the query appointment API endpoint directly: /drpanel/drapi/query.php?aptid={APTID}

NOTE: THIS PAYLOAD ONLY WORKS IN FIREFOX AND CHROME BROWSERS

Steps to Reproduce

  1. Go to /book-appointment.html and create a new apoointment setting the first name to <marquee onstart=confirm`XSS`>
  2. Sign is an the admin user.
  3. Use Burp to proxy traffic.
  4. On /drpanel/index.php go to the appointment you made in Step 1 and click on the patients name to display the apppointment details.
  5. Go to Burps HTTP Histroy and copy the URL of the last GET request to /drpanel/drapi/query.php. This will be something like /drpanel/drapi/query.php?aptid=56914781 where 56914781 is the appointment ID.
  6. When youy visit the URL, you will see an alert box displayed showing XSS

Impact

If stored XSS is possible then it can be possible for an attacker to leak the authentication cookie and log in as the admin user. The impact is lower because the victim needs to use Firefox or IE and has to visit the API url directly.

P2 High

Endpoint: /drpanel/drapi/query.php?aptid={APTID}

Parameter: fname, lname

Payload: <marquee onstart=confirm`XSS`>


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.