BugBountyHunter

Hi,

DESCRITPTION:

I found that new discovered endpoint /api/managedoctors.php from my previous report have params vulnerbale to XSS.
These params are:

1. name
2. bio
3. tagline

There is no filtering nor encoding, so payload is simple as <img src=/ onerror=alert(1)>.

XSS TRIGGERS EXPLAINED - IMPORTANT !!!:

Okay this is more complicated than i tought, so iam going to mention how these XSS are triggering and where.
So /api/managedoctors.php have 3 params - name bio tagline and there are 4 doctors, drid - 1 2 3 4.
We have 6 endpoints where these doctors are shown - /doctors.php /meet_drs.php about.php /drpanel/index.php drpanel/edit-doctor.php?id=[1-4] /manageappointment.php?success&aptid=[id].

Triggers:

1. Endpoint: /doctors.php Params: name drid: 1 2 3 4
2. Endpoint: /about.php Params: bio name drid: 3
3. Endpoint: /meet_drs.php Params: name tagline drid: 1 2 3 4
   Endpoint: /meet_drs.php Params: bio drid: 1 2
4. Endpoint /drpanel/index.php - not vulnerable
5. Endpoint drpanel/edit-doctor.php?id=[1-4] - not vulnerable
6. Endpoint /manageappointment.php?success&aptid=[id] Params: name drid: 1

Hope this make sense.

Here is the request:

PUT /api/managedoctors.php HTTP/1.1
Host: 9f0fae8ab2d6-pichik.a.firstbloodhackers.com

{
"name":"<img src=/ onerror=alert('name2')>",
"bio":"<img src=/ onerror=alert('bio2')>",
"tagline":"<img src=/ onerror=alert('tagline2')>",
"drId":"2"
}

POC LINK:

Here is the endpoint where most of the params will trigger:
https://9f0fae8ab2d6-pichik.a.firstbloodhackers.com/meet_drs.php

POC SCREEN:

Here we can see our payloads nicely reflected:

IMPACT:

Attacker can use this to steal cookies of doctors.

REMEDIATION:

Use html encoding in all user input.