FirstBlood-#82 — Stored XSS via canceled appointment message
This issue was discovered on FirstBlood v1.0.0
On 2021-05-10, jtcsec reported:
When deleting your appointment, you can manually repeat the request, add a "message" parameter, which is then vulnerable to XSS on /drpanel/cancelled.php.
When following the normal flow, there isn't an option to add a message. however, if you look at previously cancelled appointments, you can see a message was included.
Steps to reproduce
- Create an appointment at /book-appointment.html
- Take note of the ID, and enter it on /yourappointments.php
- Hit cancel appointment. Then, go to burp and send your request that canceled the appointment to repeater
- Modify your request to include a message. See below:
- Submit the request. login as a doctor and hover over the name of your patient.
- Go to console and observe "jtcsecwashere" was logged
In this scenario, an attacker would create an appointment, then cancel it with a malicious message. When a doctor viewed this message, it would allow the attacker to steal the doctors cookies and sign in as them. The attacker would then have access to the PII of every patient with a scheduled appointment
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors