FirstBlood-#231 — Stored XSS on Admn API endpoint for querying Appointment
On 2021-05-13, xnl-h4ck3r reported:
A stored XSS payload can be entered into the First name or Surname fields on
/book-appointment.htmlthat can be fired by an Admin user visiting the query appointment API endpoint directly:
NOTE: THIS PAYLOAD ONLY WORKS IN FIREFOX AND CHROME BROWSERS
Steps to Reproduce
- Go to
/book-appointment.htmland create a new apoointment setting the first name to
- Sign is an the admin user.
- Use Burp to proxy traffic.
/drpanel/index.phpgo to the appointment you made in Step 1 and click on the patients name to display the apppointment details.
- Go to Burps HTTP Histroy and copy the URL of the last GET request to
/drpanel/drapi/query.php. This will be something like
/drpanel/drapi/query.php?aptid=56914781where 56914781 is the appointment ID.
- When youy visit the URL, you will see an alert box displayed showing XSS
If stored XSS is possible then it can be possible for an attacker to leak the authentication cookie and log in as the admin user. The impact is lower because the victim needs to use Firefox or IE and has to visit the API url directly.
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name