FirstBlood-#189Stored Cross site scripting

On 2021-05-11, d20s84 reported:

Summary: Stored Xss can be triggered on the drAdmin panel while accessing /drpanel/cancelled.php#.

Source of injection : /api/ma.php Sink of injection : /drpanel/cancelled.php#


  1. Register an appointment by filling in all the required credentials.
  2. Now, Click on the Manage appointment icon.
  3. Click on Cancel appointment and capture the request.
  4. Add message parameter in the body section as shown in the figure below [Consider the Note: section].
  5. Forward the request.
  6. Hover the mouse on the patient's name in the /drpanel/cancelled.php endpoint.
  7. Open the console log and boom the payload has been logged as an array.

Impact : Malicious attacker can steal the cookie and perform other malicious activities on the admin panel.

Note: The extra embedded message parmeter in the body section of the request


Endpoint: /api/ma.php

Parameter: message=

Payload: abc"%26quot;%20onpointerenter=console.log`d20s84`>

FirstBlood ID: 8
Vulnerability Type: Stored XSS

When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors

Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.