FirstBlood-#463 — Cancelled Appintments is still vulnerable to Stored XSS
This issue was discovered on FirstBlood v2
On 2021-10-25, kinako Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Dear FirstBlood security team, I found a vulnerability on your service.
I hope this report will help you.
Summary
There used to be reported Stored XSS on /drpanel/cancelled.php endpoint in FirstBlood v1, and I confirm that vulnerability still exists in FirstBlood v2.
Vulnerability Description(PoC)
First of all, we can cancel our own appointment in /manageappointment.php endpoint.
When cancelling, we can add message parameter to leave a message to doctors like this:
And this message param will be reflected like this in admin panel:
Thanks to firstblood v1 report, I know this functionality is vulnerable to Stored XSS and I tested again.
I used this payload:
message="><img/src="x"/onmouseenter=alert`document.cookie`//
Unfortunately, this Stored XSS bug is still alive.
Impact
- firstblood v2 has no HttpOnly flag in session cookie, so the attackers can steal admin account's session cookie and perform ATO(Account TakeOver)
- Phishing
Regards,
kinako
P2 High
Endpoint: /drpanel/cancelled.php
Parameter: message
Payload: message="><img/src="x"/onmouseenter=alert`document.cokie`//
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.