FirstBlood-#270 — Email id can be modified for a patient
This issue was discovered on FirstBlood v1
On 2021-05-15, d20s84 Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary: Modifying the email id of a patient has been commented out yet the server accepts the email= parameter.
steps:
- Go to Manage appointments.
- Click on modify button and intercept the request.
- Add an extra parameter email={value}. Make sure Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 ; header is set . Use the image below for references
- Forward the request and boom !!! the email has been changed .
POC :
Before:
After:
P2 High
Endpoint: /api/ma.php
Parameter: email=
Payload: -
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.