FirstBlood-#834 — Cancel Stored XSS at the reservation function
This issue was discovered on FirstBlood v2
On 2021-10-29, axe Level 4 reported:
Discovery process: register user Sam -> book an order -> find an appointment -> visit the endpoint -> read the HTML code -> discover the vulnerable parameter
document.getElementById("message").value = msg
Use burp to add
XSS Payloadto the cancelled appointment function -> after visiting the
/drpanel/cancelled.phpendpoint -> to see if the test was successful
This report is a bit long and is meant to let others know what endpoint this sensitive information comes from.
Registered User Sam
Find an Appointment
/manageappointment.php?success&aptid=360c79a2-a7de-4ac9-8348-68abaceff95eto discover sensitive endpoints!
Test the function of modifying and canceling appointments.
Modify the appointment:
there is a small problem, I re-registered john user.
Test modifying the
messageparameter at the reservation
/drpanel/cancelled.phpendpoint, XSS test failed
messageparameter to the appointment cancellation
XSS test was successful. And still Stored XSS
FirstBlood ID: 22
Vulnerability Type: Stored XSS