FirstBlood-#56 — Stored XSS on /drpanel/drapi/query.php?aptid=<ID>
This issue was discovered on FirstBlood v1
On 2021-05-09, rintox Level 3 reported:
There's a Stored XSS when booking an appointment. When a Doctor wants to see the contact information of a client, with the right payload, the first name parameter is vulnerable to a SXSS attack.
Steps to reproduce
- Go to the endpoint /book-appointment.html
- In the first name field, insert the following payload: Rintox <svg/onmouseenter="confirm`1`">
- Now as the logged-in Doctor, visit the main dashboard and notice the appointment
- When clicking on the name, the application will make a request, grab that request from burp.
- You can notice the response has a content-type of text/html.
- Now visit that URL and hover your mouse over the end of the name (in this case Rintox) and the XSS will execute
The Stored XSS will affect all logged-in Doctors including admins, that when visiting the URL of the client information, the malicious JS code will execute.
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name