FirstBlood-#1027Can make book appointment to unavailable doctor
This issue was discovered on FirstBlood v3

On 2022-12-08, properlay Level 7 reported:

Hello, I found a way to make book appointment to unavailable doctor.

To reproduce:

  1. When booking a appointment, burp suite intercept ON

  2. Then fill all the require info and click Book Appointment

  3. On the intercept request, add drId=1

POST /api/ba.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Anti-Csrf: 82070-4702-33892
Content-Length: 137
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

  1. Forward the request, you will see that you made a book appointment to Julie ( unavailable doctor for book appointment )


Can make book appointment to unavailable doctor.

P4 Low

FirstBlood ID: 67
Vulnerability Type: Application/Business Logic

It is possible to book an unavailable doctor

Report Feedback


Creator & Administrator

Congratulations, you were the first to report this!