FirstBlood-#1716 — DOM XSS on doctors.php via doctor parameter
This issue was discovered on FirstBlood v3
On 2022-12-14, ar6aaz Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi FirstBloodv3 Team,
I have come across a DOM XSS vulnerability on FirstBloodv3. The value of doctor parameter on /doctors.php is reflected into the DOM and we are able to execute Javascript code using the same.
Steps to Reproduce:
- Visit the URL:
https://e834168b0bb3-ar6aaz.a.firstbloodhackers.com/doctors.php?doctor=2%27;alert(document.cookie);//
This will update the DOM such that it will break out of the variable selectedDoctor and execute Javascript code.
DOM XSS executing:
Impact: Since the cookie of admin isn't HTTPOnly, it can be extracted via our malicious Javascript code. A user can then login into the admin account by simply using the harvested cookie in their session and takeover the admin's account.
P3 Medium
Endpoint: /doctors.php
Parameter: doctor
Payload: 2%27;alert(document.cookie);//
FirstBlood ID: 47
Vulnerability Type: Reflective XSS
The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter