FirstBlood-#78 — [COLLAB] 1 Click XSS can lead to Admin Account Takeover
This issue was discovered on FirstBlood v1.0.0
On 2021-05-09, 0xblackbird reported:
Hello Zseano! I hope you're doing well today! I found a stored cross-site scripting vulnerability that I could escalate to account takeover by stealing cookies. My payload currently requires minimal user-interaction, 1-click to be exact. If I still do find a better one, one without user interaction, I will make sure to update my report before triage.
My payload now only requires nothing to fire. Here is my payload:
Payload that goes away with cookie:
Thanks a lot! Found a similar bug in the wild, this again proves that FirstBlood it is extremely realistic :D!
Steps to reproduce
/book-appointment.htmland fill in all the required fields and click on Book Appointment.
- Next, copy the Appointment ID and visit
- Paste in the previous copied ID and Retrieve Appointment.
- After that, scroll down and click on Cancel Appointment. Make sure you intercept this request.
- Add the message with the following payload:
- You will normally get a confirm box confirming that Your appointment has been cancelled, click on Ok.
- Next, visit
/login.phpand login with the credentials provided:
- Navigate to
/drpanel/cancelled.php, and click on the last cancelled appointment.
- You'll see that we get redirected to
https://example.com/?cookie=drps=e7340a3ab0c53934aa368ed55with our cookie in the cookie parameter. This cookie can be easily reused even if the admin securily logged out. This is because the cookie does not expire.
I was able to take over an admin account by cancelling our appointment and including a message.
It took me some time to get to this payload, I first tried some basic html tags and quickly released that most of the common ones are blocked. Because we are not allowed to use any automated tools, I went and just tried custom tags. This worked :D! I thought that maybe
Thanks a lot for the fun challenge! Have a nice day!
FirstBlood ID: 12
Vulnerability Type: Auth issues
If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error