Hey guyz, once again I am back with a new writeup!!
To all who don't know me: I am Krishnadev P Melevila , a cyber security researcher and Google certified digital marketer. You can search my name on google.
Here I mention the target as example.com as I am not able to disclose the target details as per their policy.
So let's start!!!
I was totally bored one day, Then I thought of finding some bugs, every time I usually enumerate educational websites like entri app, linways etc… So I think about a change. So I google search “Hospital management system” and came to my target website called example.com.
On that site, we can take appointments for hospital consultations and direct doctor consultations. So I went to the profile section, there I entered “<h1>hello</h1>” instead of my name. Woooha!! It was an HTML injection!!!
But wait!!!! As there is a chance for HTML injection, then there is a chance for XSS!!! so let's exploit it. I tried entering <img src=x onerror=prompt(9)> and saved. Again it got hit!! XSS triggered.!!
Now what? Yes CSRF!! Then I suddenly tried to book an appointment. And in the name field, I entered a csrf script that steals the doctor’s session cookie and as soon as the doctor sees my appointment his/her cookie will be sent to my remote server.
So if I log in with that cookie, I will be logged as a doctor and I can see other patients' appointments and can attend the consultation impersonating the doctor.
Thanks, guys reading for my writeup follow me on Instagram for real-time updates https://instagram.com/krishnadev_p_melevila
Bug reported on : 10–09–2021
Bug triaged on : 11–09–2021
Bug patched and bounty released on : 18–09–2021