FirstBlood-#554 — Modifying information on Appointment Form which are not allowed to be modified.
This issue was discovered on FirstBlood v2
On 2021-10-26, th4nu0x0 Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
-
On Firstbloodhacker.com once a patient created the appointment they are only allowed to modify comments and other fields are not allowed to be modified as mentioned on the page.
-
But by adding email parameter to the body and Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 to request header the email can be changed.
-
doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 ==base64=decoded=> doctorAuthed={"doctorAuth":authed}.
Steps To Reproduce:
- Create a appointment and copy the ID
- Visit Manage Appointment and enter your ID
- Now click
Modify Appointment and Intercept the request
- On request header add
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
- On post body add
[email protected] and Forward the request.
Impact:
Users can modify email of their appointments which they shouldn't as per the application logic.
P3 Medium
Endpoint: /manageappointment.php
Parameter: email
Payload: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.