FirstBlood-#1432 — Book non-bookable doctors in appointment
This issue was discovered on FirstBlood v3
On 2022-12-10, ayush1098 
Level 8
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Team,
Summary:
On doctors.php endpoint, we can see that we can only book some doctors(who are bookable) but after reading the source code, I found this piece of code:
if (window.location.hash) {
var urlParams = new URLSearchParams(window.location.hash.replace("#","?"));
var drHash = urlParams.get('doctor');
document.getElementById("drId").value = drHash;
// history.pushState('', '', '/book-appointment.html')
history.pushState('', '', '/book-appointment.php')
}
So instead of relying on UI, I visited the https://1e2176df1447-ayush1098.a.firstbloodhackers.com/book-appointment.php#doctor=1
Note: The doctor with id=1 is not bookable
And to be surprised, I was able to book appointments with this doctor.
Steps To Reproduce:
-
Visit the https://1e2176df1447-ayush1098.a.firstbloodhackers.com/book-appointment.php#doctor=1.
-
Book the appointment.
view your appointment and the Julie is booked as a doctor.
Thanks & Regards
Ayush Singh
P4 Low
Endpoint: /book-appointment.php
Parameter: doctor
Payload: NA
FirstBlood ID: 67
Vulnerability Type: Application/Business Logic
It is possible to book an unavailable doctor