FirstBlood-#56Stored XSS on /drpanel/drapi/query.php?aptid=<ID>
This issue was discovered on FirstBlood v1

On 2021-05-09, rintox Level 3 reported:


There's a Stored XSS when booking an appointment. When a Doctor wants to see the contact information of a client, with the right payload, the first name parameter is vulnerable to a SXSS attack.

Steps to reproduce

  1. Go to the endpoint /book-appointment.html
  2. In the first name field, insert the following payload: Rintox <svg/onmouseenter="confirm`1`">
  3. Now as the logged-in Doctor, visit the main dashboard and notice the appointment

  1. When clicking on the name, the application will make a request, grab that request from burp.

  1. You can notice the response has a content-type of text/html.
  2. Now visit that URL and hover your mouse over the end of the name (in this case Rintox) and the XSS will execute


The Stored XSS will affect all logged-in Doctors including admins, that when visiting the URL of the client information, the malicious JS code will execute.

P2 High

Endpoint: /book-appointment.html

Parameter: fname

Payload: Rintox <svg/onmouseenter="confirm`1`">

FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name