FirstBlood-#56Stored XSS on /drpanel/drapi/query.php?aptid=<ID>
This issue was discovered on FirstBlood v1.0.0



On 2021-05-09, rintox Level 3 reported:

Summary

There's a Stored XSS when booking an appointment. When a Doctor wants to see the contact information of a client, with the right payload, the first name parameter is vulnerable to a SXSS attack.

Steps to reproduce

  1. Go to the endpoint /book-appointment.html
  2. In the first name field, insert the following payload: Rintox <svg/onmouseenter="confirm`1`">
  3. Now as the logged-in Doctor, visit the main dashboard and notice the appointment

  1. When clicking on the name, the application will make a request, grab that request from burp.

  1. You can notice the response has a content-type of text/html.
  2. Now visit that URL and hover your mouse over the end of the name (in this case Rintox) and the XSS will execute

Impact

The Stored XSS will affect all logged-in Doctors including admins, that when visiting the URL of the client information, the malicious JS code will execute.

P2 High

Endpoint: /book-appointment.html

Parameter: fname

Payload: Rintox <svg/onmouseenter="confirm`1`">


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name