FirstBlood-#56Stored XSS on /drpanel/drapi/query.php?aptid=<ID>



On 2021-05-09, rintox reported:

Summary

There's a Stored XSS when booking an appointment. When a Doctor wants to see the contact information of a client, with the right payload, the first name parameter is vulnerable to a SXSS attack.

Steps to reproduce

  1. Go to the endpoint /book-appointment.html
  2. In the first name field, insert the following payload: Rintox <svg/onmouseenter="confirm`1`">
  3. Now as the logged-in Doctor, visit the main dashboard and notice the appointment

  1. When clicking on the name, the application will make a request, grab that request from burp.

  1. You can notice the response has a content-type of text/html.
  2. Now visit that URL and hover your mouse over the end of the name (in this case Rintox) and the XSS will execute

Impact

The Stored XSS will affect all logged-in Doctors including admins, that when visiting the URL of the client information, the malicious JS code will execute.

P2 High

Endpoint: /book-appointment.html

Parameter: fname

Payload: Rintox <svg/onmouseenter="confirm`1`">


FirstBlood ID: 10
Vulnerability Type: Stored XSS

When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.