FirstBlood-#674 — 0 click admin account takeover via stored xss on admin dashboard through cancel appointment.
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-27, newrouge Level 3 reported:
Hey, i found that it is possible to exfiltrate admin cookies by planting a 0 click stored xss on admin dashboard through cancel appointment.
- Looking back through cancelled appointments every user have left a message, for cancellation reason. But when we cancel there is no option to leave a message.
- So , adding extra paramter mesaage= in cancel request will send the message to admin dashboard.
- Now it is possible to execute xss through this message on admin dashboard, and steal admin cookies.
Input is reflected inside
<atag which can be easily escaped with
">and new HTML tags can be introduced easily.
Create an appointment and note down it's ID.
Go to manage appointment and then click cancel appointment and intercept request.
Modify request by adding message parameter with your payload to extract cookies.
Send the request.
Now as an admin go to /drpanel/cancelled.php to check cancelled appointment.
You will be redirected to attacker's domain the moment you visit the page, without any click.
Now attacker can login to admin account with this cookie.
FirstBlood ID: 22
Vulnerability Type: Stored XSS