Hey guyz, once again I am back with a new writeup!!

To all who don't know me: I am Krishnadev P Melevila , a cyber security researcher and Google certified digital marketer. You can search my name on google.

Here I mention the target as example.com as I am not able to disclose the target details as per their policy.

So let's start!!!

I was totally bored one day, Then I thought of finding some bugs, every time I usually enumerate educational websites like entri app, linways etc… So I think about a change. So I google search “Hospital management system” and came to my target website called example.com.

On that site, we can take appointments for hospital consultations and direct doctor consultations. So I went to the profile section, there I entered “<h1>hello</h1>” instead of my name. Woooha!! It was an HTML injection!!!

But wait!!!! As there is a chance for HTML injection, then there is a chance for XSS!!! so let's exploit it. I tried entering <img src=x onerror=prompt(9)> and saved. Again it got hit!! XSS triggered.!!

Now what? Yes CSRF!! Then I suddenly tried to book an appointment. And in the name field, I entered a csrf script that steals the doctor’s session cookie and as soon as the doctor sees my appointment his/her cookie will be sent to my remote server.

So if I log in with that cookie, I will be logged as a doctor and I can see other patients' appointments and can attend the consultation impersonating the doctor.

Thanks, guys reading for my writeup follow me on Instagram for real-time updates https://instagram.com/krishnadev_p_melevila

Bug reported on : 10–09–2021

Bug triaged on : 11–09–2021

Bug patched and bounty released on : 18–09–2021