FirstBlood-#449 — A User can modify the Email of their appointment despite being disabled for safeguarding reasons
This issue was discovered on FirstBlood v2
On 2021-10-25, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.
When a user modifies an appointment on /manageappointment.php, the page says For safeguarding reasons you are only able to modify certain information about your appointment.
The email address is disabled, but a user can change this by adding the email parameter to the POST request, or by directly including it in the Extra Comments field because of DOM XSS vulnerability.
Steps to Reproduce
This can either be one using a proxy such as Burp, or done by exploiting the Extra Comments field:
Ensure you have cookie doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 (this is obtained from registering, but even if unsuccessful, and the value is BASE64 encoded {"doctorAuth":authed}).
Proxy method
- Book an appointment on
/book-appointment.html and note down the Appointment ID
- Go to
/yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
- Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
- Proxy traffic through Burp and turn Intercept on
- On
/manageappointment.php for your appointment, click MODIFY APPPOINTMENT
- A POST request to
/api/ma.php will be interecpeted, and you can add email=newemailaddress to the request before forwarding.
- Now enter your appointment ID again and click RETRIEVE APPOINTMENT
- Observe the changed email address.
Extra Comments field exploit
- Book an appointment on
/book-appointment.html and note down the Appointment ID
- Go to
/yourappointments.php and enter the Appointment ID, and click RETRIEVE APPOINTMENT
- Notice the message For safeguarding reasons you are only able to modify certain information about your appointment. and you are unable to modify the email address.
- Enter a value in the Extra Comments field (
message) of message&email=newemailaddress and click MODIFY APPPOINTMENT
- On
/manageappointment.php for your appointment, click MODIFY APPPOINTMENT
- Now enter your appointment ID again and click RETRIEVE APPOINTMENT
- Observe the changed email address.
Impact
A user is able to bypass safeguard controls for the managemnet of appointments.
P3 Medium
Endpoint: /ma.php
Parameter: email & message
Payload: n/a
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.