FirstBlood-#666 — Stored xss by meesage field on MANAGE APPOINTMENT
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, newrouge Level 3 reported:
Hey, i found that message parameter is vulnerable to stored XSS and it affects all user's visiting the manage appointment page with our appointment ID.
User's message was reflecting inside msg='hello user' variable in js context.
As we have learned on barker that it is possible to get XSS in JS context by using arithmetic operators i.e '-alert(1)-'.
Make an appointment with message: '-alert(1)-'
Now copy the appointment id, and retrieve your appointment on manage appointment. Xss will execute.
Now let's try to steal admin or any user cookies with this payload in message field.
it becomes :
It closes msg='' variable. then put our payload document.cookie and lastly a='test' closes the quote appended by program in end.
Now when you send your management appointment url to victim, XSS will execute his context. and cookies will be sent to your server.
https://1cec34382c6a-newrouge.a.firstbloodhackers.com/manageappointment.php?success&aptid=3a03d769-7570-4b54-82c5-2fdb2b750d85 , send this url to victim. You server get victim's cookies.
FirstBlood ID: 22
Vulnerability Type: Stored XSS