FirstBlood-#284 — Cross Site Scripting vulnerability in client firstname/lastname
This issue was discovered on FirstBlood v1.0.0
On 2021-05-15, YouGina Level 2 reported:
Using the form to create an appointment (located at endpoint /book-appointment.html) it is possible to inject an XSS payload which will trigger on one of the endpoints in the backend panel. This form sends a post request to the endpoint /api/ba.php. The Firstname and Lastname fields are vulnerable. In the post request these are the fname and lname parameters.
Steps to reproduce
Make sure a proxy is running in the background, or keep developer tools in the browser open on the network tap.
- Open the book-appointment.html page
- Fill in all the fields normally
- Replace the firstname and lastname fields with the payload:
- Submit the form
- Now login as a docter and click the latest added appointment.
- Go to the proxy, or the network tab in developer tools of the browser and find the latest request.
- Open this url in the browser
The payload I used for that Proof of Concept is:
alert("PoC - [email protected]\rdocument.domain: " + document.domain + "\rlocation.origin: " + location.origin);
fname and lname
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name