FirstBlood-#82Stored XSS via canceled appointment message
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, jtcsec Level 4 reported:

When deleting your appointment, you can manually repeat the request, add a "message" parameter, which is then vulnerable to XSS on /drpanel/cancelled.php.

When following the normal flow, there isn't an option to add a message. however, if you look at previously cancelled appointments, you can see a message was included.

Steps to reproduce

  1. Create an appointment at /book-appointment.html
  2. Take note of the ID, and enter it on /yourappointments.php
  3. Hit cancel appointment. Then, go to burp and send your request that canceled the appointment to repeater
  4. Modify your request to include a message. See below:
    act=cancel&id=b9f3eb4a-2491-402e-999a-4313bae55076&message=ITWORKED"%20onpointereNTER="console.log`jtcsecwashere`"%20new="1
  5. Submit the request. login as a doctor and hover over the name of your patient.
  6. Go to console and observe "jtcsecwashere" was logged

Impact

Attacker can execute javascript in the context of the doctors browser. This can be escalated by stealing the current session cookies. To reproduce this, update the payload above to be the below message:

message=ITWORKED"%20onpointereNTER="eval.call`${'confirm\x28document.cookie\x29'}`"%20new="1

This will display the current drps cookie, showing that the javascript executed has access to this cookie - it is not being stored securely

In this scenario, an attacker would create an appointment, then cancel it with a malicious message. When a doctor viewed this message, it would allow the attacker to steal the doctors cookies and sign in as them. The attacker would then have access to the PII of every patient with a scheduled appointment

P1 CRITICAL

Endpoint: /drpanel/cancelled.php

Parameter: message

Payload: ITWORKED"%20onpointereNTER="console.log`jtcsecwashere`"%20new="1


FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors

Report Feedback

@zseano

Creator & Administrator


Great work JTCsec!