FirstBlood-#1146 — Reflected XSS on https://a939f6568e92-mrxhunt.a.firstbloodhackers.com/doctors.php
This issue was discovered on FirstBlood v3
On 2022-12-08, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
I have found Reflected XSS on doctors.php endpoint in the parameter doctor with a very simple xss payload
Steps to Reproduce:
- You need to visit the following link: https://a939f6568e92-mrxhunt.a.firstbloodhackers.com/doctors.php?doctor=%27-alert(document.location)-%27
- The XSS will popup and can be used to leak the Cookies of the Authenticated users
Underlying Issue:
The value of doctor parameter is directly inserted in the javascript code without being sanitized first, thus ' closes the js variable value and then we insert our own alert command and can easily leak the Cookie of the users
Remeditation:
The value must be sanitized first with proper escaping.
P3 Medium
Endpoint: /doctors.php
Parameter: doctor
Payload: %27-alert(document.location)-%27
FirstBlood ID: 47
Vulnerability Type: Reflective XSS
The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter