FirstBlood-#1683 — Delete Ambulance Provided to any Appointment
This issue was discovered on FirstBlood v3
On 2022-12-13, mr_xhunt 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
Sending DELETE method on endpoint /api/manageambulances.php with ambulance Id will Delete the ambulance provided to any Appointment.
Steps To Reproduce:
- Create an Appointment with ambulance:
- Now Get the
abmulance_id assigned to you via following request:
- Send
DELETE method request to /api/manageambulances.php with ambId parameter and Paste the value got from step 2
P2 High
Endpoint: /api/manageambulances.php
Parameter: ambId
Payload: d9010b9b-8c1e-427c-979a-8b41fce1fb37
FirstBlood ID: 77
Vulnerability Type: Access_control
Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted