FirstBlood-#538Modify Appointment Form is vulnerable to Stored XSS
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, kinako Level 5 reported:

Dear FirstBlood security team, I found a vulnerability on your service. I hope this report will help you.

Summary

In Modify appointment page, we can change our booked appointment.

Because of no protection against XSS, the malicious user can perform Stored XSS and it can lead to account takeover.

Vulnerability Description(PoC)

First of all, /manageappointment.php endpoint has a JS snippet like below:

        <script>
    var msg = '<user message is filled here>';
    $(document).ready(function () {
        document.getElementById("message").value = msg;
    });
</script>

var msg reflects user's message param value so if we input message=hoge, then it becomes var msg = 'hoge';.

There seems no sanitization, we can easily perform XSS by entering msg='*alert(document.cookie);//.

This is the evidence of it.

HTML source.

I thought this is so-called "self-XSS". In conclusion, this is not self-XSS.

I tried to find the way of making victim modify their message value to XSS payload, but so far I don't find such a way.

After that, I noticed this page does not require any session or login process.

This means that everyone who knows this URL like https://9d825e154bdf-kinako.a.firstbloodhackers.com/manageappointment.php?success&aptid=<aptid> can see others' modify appointment page.

(Generally speaking, edit page like this restricts to see other users' edit even though they know edit page URL but firstblood v2 modify appointment page doesn't!)

So if the attacker is successful in making victim access to malicious modify appointment page, then they can perform XSS without any other process.

Impact

  • firstblood v2 still does not have HttpOnly flag in Cookie so the attacker can steal session cookie relatively easily
  • Phishing

Regards, kinako

P2 High

Endpoint: /manageappointment.php

Parameter: message

Payload: message='*alert(document.cookie);//


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.