FirstBlood-#492 — Stored XSS through the appointments cancelation message leads to ATO
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, holybugx reported:
When users cancel their appointments they can leave a message for the doctor. Proper sanitization is not implemented in place which makes Stored XSS possible on this endpoint. This vulnerability leads to a one-click account takeover.
Steps To Reproduce
- Make an appointment on the
After doing so you will be given an appointment ID:
- Use your appointment ID on the
/yourappointments.phpAPI endpoint to manage your appointment:
- Intercept the request to
Cancel Appointmentand do the following changes before sending the final HTTP request:
- Add the following payload as the value of the
messageparameter and forward the request:
- Visit the
/drpanel/cancelled.phpendpoint using the doctor's accounts. If you click on the user's cancellation message, the XSS executes:
drpscookie of the doctor will be sent to the attacker's server, which leads to the complete account takeover:
No User-Interaction Payload
The previous payload needs a click to execute. However, it is possible to craft a payload that needs no user interaction but doesn't work on Firefox:
The above payload results in a no user-interaction XSS after the doctor visits the
drpscookies will be sent to the attacker's controlled server which results in a complete account takeover.
- XSS leading to one-click account takeover.
- Implement proper sanitization on the
- Remove/Expire the
drpscookies after logging out.
FirstBlood ID: 22
Vulnerability Type: Stored XSS