FirstBlood-#231Stored XSS on Admn API endpoint for querying Appointment

On 2021-05-13, xnl-h4ck3r Level 4 reported:


A stored XSS payload can be entered into the First name or Surname fields on /book-appointment.html that can be fired by an Admin user visiting the query appointment API endpoint directly: /drpanel/drapi/query.php?aptid={APTID}


Steps to Reproduce

  1. Go to /book-appointment.html and create a new apoointment setting the first name to <marquee onstart=confirm`XSS`>
  2. Sign is an the admin user.
  3. Use Burp to proxy traffic.
  4. On /drpanel/index.php go to the appointment you made in Step 1 and click on the patients name to display the apppointment details.
  5. Go to Burps HTTP Histroy and copy the URL of the last GET request to /drpanel/drapi/query.php. This will be something like /drpanel/drapi/query.php?aptid=56914781 where 56914781 is the appointment ID.
  6. When youy visit the URL, you will see an alert box displayed showing XSS


If stored XSS is possible then it can be possible for an attacker to leak the authentication cookie and log in as the admin user. The impact is lower because the victim needs to use Firefox or IE and has to visit the API url directly.

P2 High

Endpoint: /drpanel/drapi/query.php?aptid={APTID}

Parameter: fname, lname

Payload: <marquee onstart=confirm`XSS`>

FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name

Respect Earnt: 1.5M
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.