Hello firstblood team! I've found a business logic flaw in the "Book Appointment" feature.

Summary

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.

By using a hidden parameter in the book-appointment page, it is possible to choose the doctor. This shouldn't be an available option, since it is not part of the form.

By abusing this parameter, we can even book "unavailable" doctors.

Steps to reproduce

1. proxy requests through burp suite
2. go to https://0a71d31af52a-lumbridge7.a.firstbloodhackers.com/book-appointment.php
3. fill the form, intercept request and click on "book appointment" to trigger the POST request
4. add to the body of the request the param "drId=1" (or any other doctor id with the status unavailable*)
5. send request
6. Appointment booked with doctor, regardless of their status being "unavailable" or not.

This can be tested with many drId, since it's an easily guessable single digit numeric value.

Getting a doctor with status unavailable

For testing purposes, access the doctor dashboard and set any doctor with the status = unavailable. grab the drId from the url.

i.e., https://0a71d31af52a-lumbridge7.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=4

id=4 is the drId we'll use to book the appointment.

POC

Impact

Anyone can book appointments with Unavailable doctors.