FirstBlood-#548 — [Unpatched] Patient's information can be changed that is not allowed to change by the webapp
This issue was discovered on FirstBlood v2
On 2021-10-26, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi again Sean!!
I was able to change the patient's information that i am not authorized to change through manage appointment endpoint.
Impact:
Attacker can obtain the aptid and change the info such as email that the attacker is not intended to change.
How?
1.This is what the initial patient info look like.
- I put some random string in message and click on manage appointment button and Intercept the request.
3.From past report report?id=540 i was able to obtain the Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 header.
I integrated it in the request meant to manage the appointment of the patient along with the parameter name value pair that i wanted to change.
- I forwarded the request and Boom!!
P3 Medium
Endpoint: /api/ma.php?success&aptid={id}
Parameter: none
Payload: none
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.