FirstBlood-#120 — Stored XSS on /drpanel/drapi/query.php?aptid
This issue was discovered on FirstBlood v1
On 2021-05-10, iffu Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi zseano
Summary
I have found a Stored XSS vulnerability on /drpanel/drapi/query.php.
When a user wants to request for appointment, he needs to give his details and book appointment on http://firstbloodhackers.com:49361/book-appointment.html. But the input given to this page is reflected on the admin dashboard on /drpanel/drapi/query.php.
Steps to reproduce
-
Insert an XSS payload in the firstname and/or lastname of the appointment form on http://firstbloodhackers.com:49361/book-appointment.html
-
When the admin visits /drpanel/drapi/query.php?aptid={{your_aptid_here}, he will be popped with an alert box indicating XSS payload has fired successfully.
ZSEANO, I can't thank you enough for making this platform so wonderful that learning has become a great joy with an awesome community which comes to help when needed
P2 High
Endpoint: /drpanel/drapi/query.php
Parameter: ***
Payload: <script>confirm`1`</script>
FirstBlood ID: 10
Vulnerability Type: Stored XSS
When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name