Hello Zseano! I hope you're doing well today! I found a stored cross-site scripting vulnerability that I could escalate to account takeover by stealing cookies. My payload currently requires minimal user-interaction, 1-click to be exact. If I still do find a better one, one without user interaction, I will make sure to update my report before triage.
My payload now only requires nothing to fire. Here is my payload:
Payload that goes away with cookie:
Thanks a lot! Found a similar bug in the wild, this again proves that FirstBlood it is extremely realistic :D!
Steps to reproduce
/book-appointment.html and fill in all the required fields and click on Book Appointment.
- Next, copy the Appointment ID and visit
- Paste in the previous copied ID and Retrieve Appointment.
- After that, scroll down and click on Cancel Appointment. Make sure you intercept this request.
- Add the message with the following payload:
- You will normally get a confirm box confirming that Your appointment has been cancelled, click on Ok.
- Next, visit
/login.php and login with the credentials provided:
- Navigate to
/drpanel/cancelled.php, and click on the last cancelled appointment.
- You'll see that we get redirected to
https://example.com/?cookie=drps=e7340a3ab0c53934aa368ed55 with our cookie in the cookie parameter. This cookie can be easily reused even if the admin securily logged out. This is because the cookie does not expire.
I was able to take over an admin account by cancelling our appointment and including a message.
It took me some time to get to this payload, I first tried some basic html tags and quickly released that most of the common ones are blocked. Because we are not allowed to use any automated tools, I went and just tried custom tags. This worked :D! I thought that maybe
Thanks a lot for the fun challenge! Have a nice day!