FirstBlood-#646 — [COLLAB] Stored XSS on Cancel appointment which leads to ATO
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, amec0e Level 3 reported:
Using a previously disclosed report I found that when cancelling an appointment via the
message=parameter is still vulnerable to a Stored XSS when viewed in the endpoint
This allows a malicious user to leak a doctor/drAdmin
drpscookie because of a missing cookie attribute
httponlywhich can lead to a account takeover.
Steps to Reproduce:
- Create an appointment and fill in all the details.
- Once you have your appointment GUID copy this and Visit the endpoint
- Paste your guid and click "Modify Appointment"
- Start your Ngrok server and Turn Intercept on in burpsuite.
- Click "Cancel Appointment" and Intercept the request.
- Add the
messageparameter with the following payload while replacing the
ngrokaddresswith your ngrok address:
- Now login as a doctor/admin and visit the endpoint
- Click the cancelled appointment to view the left message.
You will now be sent to our Ngrok address along with the doctor/admin
In Collaboration with thebinarybot
FirstBlood ID: 22
Vulnerability Type: Stored XSS