FirstBlood-#834Cancel Stored XSS at the reservation function
This issue was discovered on FirstBlood v2

On 2021-10-29, axe Level 4 reported:

Summary

  1. Discovery process: register user Sam -> book an order -> find an appointment -> visit the endpoint -> read the HTML code -> discover the vulnerable parameter document.getElementById("message").value = msg

  2. Use burp to add message parameter and XSS Payload to the cancelled appointment function -> after visiting the /drpanel/cancelled.php endpoint -> to see if the test was successful

  3. This report is a bit long and is meant to let others know what endpoint this sensitive information comes from.

Steps

  1. Registered User Sam

  2. Reservation Order

  3. Find an Appointment

  4. Visit /manageappointment.php?success&aptid=360c79a2-a7de-4ac9-8348-68abaceff95e to discover sensitive endpoints!

  5. Test the function of modifying and canceling appointments.

    1. Modify the appointment:

    2. Cancel Reservation:

  6. there is a small problem, I re-registered john user.

  7. Test modifying the message parameter at the reservation

    1. Accessing /drpanel/cancelled.php endpoint, XSS test failed

  8. Add the message parameter to the appointment cancellation

    1. Accessing /drpanel/cancelled.php endpoint

  9. XSS test was successful. And still Stored XSS

P2 High

Endpoint: /manageappointment.php?success&aptid=360c79a2-a7de-4ac9-8348-68abaceff95

Parameter: message

Payload: `'"><svg/onload=alert(document.cookie)>//`

FirstBlood ID: 22
Vulnerability Type: Stored XSS

Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.