FirstBlood-#682Stored XSS through DOB
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-27, eliee Level 7 reported:

Summary

It is possible to achieve stored XSS on the DrPanel through the DOB displayed in Today's Missed Appointments when clicking on the patient's name. This lets the attacker steal the cookies of the logged in doctor as they aren't marked HttpOnly.

Steps to reproduce

As there is no way to "miss" an appointment at the moment, this requires database access for now, but dob is vulnerable to storing the information when booking an appointment.

  1. Set the dob column for Sean zseano (id 56910419, state 1) to &lt;img/onerror='alert(document.cookie)'/src=x&gt; << this should contain & lt; & gt; instead of angle brackets but seems they are replaced. Either way, the input emulates how DOB is normally encoded when signing up.
  2. Log in to the drpanel and click on Sean zseano in the Today's Missed Appointments section
  3. An alert should display your current cookies

When registering

It is possible to set the DOB to the payload when registering. Simply intercept the request to /ba.php and change the value of dob to <img/onerror='alert(document.cookie)'/src=x> and it will end up as & lt;img/onerror='alert(document.cookie)'/src=x& gt; (spaces added by me) in the db. Cookies are accessible as they aren't marked HttpOnly.

Cookie still valid after logout

Even if logging out, the logged in session won't be made invalid until the doctor signs in again at /login.php. This is testable by copying the drps cookie value from the alert, clicking Securely log out and then entering document.cookie = "drps=cookievalue;" into the console before visiting /drpanel/ again.

Screenshot

Additional note

It is possible to break out of the tooltip tag and use dangling markup etc as well (though stealing the drps cookie would be the main goal of an attacker).

Impact

Stored XSS executing on the admin part of the webpage which lets an attacker steal the cookies of the logged in doctor. The stolen cookie won't be invalidated until the doctor performs a new login - just logging out does not invalidate the session!

Remediation

As DOB is user controlled input, it should be properly sanitized before being used on any webpage. drps cookie should be marked HttpOnly. A

P4 Low

Endpoint: /drpanel/index.php#

Parameter: DOB

Payload: <img/onerror='alert(1)'/src=x>


FirstBlood ID: 41
Vulnerability Type: Stored XSS

Not fully working: Whilst it isn't possible to achieve Stored XSS without having access to the database (from SQL or RCE), when an appointment is "missed" with the "state=1", the date of birth is not protected from XSS. We ran out of time to finish building appointment handling so it doesn't count towards unique finds, but this was an intended feature we planned to build so it was interesting to see someone discovered it!

Report Feedback

@zseano

Creator & Administrator


Nice find eliee! This isn't actually something intentionally added and values are sanitized before inserted into DB and no protection when reflecting. We've added this as a new bug on firstblood but rated it P4 as SQL/RCE is required and those bugs enable an attacker to do a lot more :)