FirstBlood-#189 — Stored Cross site scripting
This issue was discovered on FirstBlood v1
On 2021-05-11, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary: Stored Xss can be triggered on the drAdmin panel while accessing /drpanel/cancelled.php#.
Source of injection : /api/ma.php
Sink of injection : /drpanel/cancelled.php#
Steps:
- Register an appointment by filling in all the required credentials.
- Now, Click on the Manage appointment icon.
- Click on Cancel appointment and capture the request.
- Add message parameter in the body section as shown in the figure below [Consider the Note: section].
- Forward the request.
- Hover the mouse on the patient's name in the /drpanel/cancelled.php endpoint.
- Open the console log and boom the payload has been logged as an array.
Impact :
Malicious attacker can steal the cookie and perform other malicious activities on the admin panel.
Note:
The extra embedded message parmeter in the body section of the request
P1 CRITICAL
Endpoint: /api/ma.php
Parameter: message=
Payload: abc"%26quot;%20onpointerenter=console.log`d20s84`>
FirstBlood ID: 8
Vulnerability Type: Stored XSS
When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors