FirstBlood-#1716DOM XSS on doctors.php via doctor parameter
This issue was discovered on FirstBlood v3

On 2022-12-14, ar6aaz Level 3 reported:

Hi FirstBloodv3 Team,

I have come across a DOM XSS vulnerability on FirstBloodv3. The value of doctor parameter on /doctors.php is reflected into the DOM and we are able to execute Javascript code using the same.

Steps to Reproduce:

  1. Visit the URL:;alert(document.cookie);//

This will update the DOM such that it will break out of the variable selectedDoctor and execute Javascript code.

DOM XSS executing:

Impact: Since the cookie of admin isn't HTTPOnly, it can be extracted via our malicious Javascript code. A user can then login into the admin account by simply using the harvested cookie in their session and takeover the admin's account.

P3 Medium

Endpoint: /doctors.php

Parameter: doctor

Payload: 2%27;alert(document.cookie);//

FirstBlood ID: 47
Vulnerability Type: Reflective XSS

The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter