FirstBlood-#82Stored XSS via canceled appointment message



On 2021-05-10, jtcsec reported:

When deleting your appointment, you can manually repeat the request, add a "message" parameter, which is then vulnerable to XSS on /drpanel/cancelled.php.

When following the normal flow, there isn't an option to add a message. however, if you look at previously cancelled appointments, you can see a message was included.

Steps to reproduce

  1. Create an appointment at /book-appointment.html
  2. Take note of the ID, and enter it on /yourappointments.php
  3. Hit cancel appointment. Then, go to burp and send your request that canceled the appointment to repeater
  4. Modify your request to include a message. See below:
    act=cancel&id=b9f3eb4a-2491-402e-999a-4313bae55076&message=ITWORKED"%20onpointereNTER="console.log`jtcsecwashere`"%20new="1
  5. Submit the request. login as a doctor and hover over the name of your patient.
  6. Go to console and observe "jtcsecwashere" was logged

Impact

Attacker can execute javascript in the context of the doctors browser. This can be escalated by stealing the current session cookies. To reproduce this, update the payload above to be the below message:

message=ITWORKED"%20onpointereNTER="eval.call`${'confirm\x28document.cookie\x29'}`"%20new="1

This will display the current drps cookie, showing that the javascript executed has access to this cookie - it is not being stored securely

In this scenario, an attacker would create an appointment, then cancel it with a malicious message. When a doctor viewed this message, it would allow the attacker to steal the doctors cookies and sign in as them. The attacker would then have access to the PII of every patient with a scheduled appointment

P1 CRITICAL

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: ITWORKED"%20onpointereNTER="console.log`jtcsecwashere`"%20new="1


FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors

Report Feedback

@zseano

Creator & Administrator


Great work JTCsec!


Respect Earnt: 2500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.