FirstBlood-#423Stored XSS on the /manageappointment.php endpoint when canceling an appointment
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, johandu97 Level 4 reported:

Summary

Improper input validation leads to attackers injecting malicious characters causing XSS vulnerabilities

POC

  1. Hi @zseano, I found reflected xss on manageappointment.php endpoint
  2. When canceling an appointment, I added the message parameter with payload is test123'-alert(1)-'

  1. Send url to victim: https://c6329b4c0ecc-johandu97.a.firstbloodhackers.com/manageappointment.php?success&aptid=61426cc3-7ef1-4a80-8b68-7150e78294af, xss is executed

Recommendations

Validate/santize malicious inputs that cause xss like < > ' " ...

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: test123'-alert(1)-'


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.