FirstBlood-#1028Business logic allows to book appointments with unavailable doctors
This issue was discovered on FirstBlood v3



On 2022-12-08, lumbridge7 Level 4 reported:

Hello firstblood team! I've found a business logic flaw in the "Book Appointment" feature.

Summary

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.

By using a hidden parameter in the book-appointment page, it is possible to choose the doctor. This shouldn't be an available option, since it is not part of the form.

By abusing this parameter, we can even book "unavailable" doctors.

Steps to reproduce

  1. proxy requests through burp suite
  2. go to https://0a71d31af52a-lumbridge7.a.firstbloodhackers.com/book-appointment.php
  3. fill the form, intercept request and click on "book appointment" to trigger the POST request
  4. add to the body of the request the param "drId=1" (or any other doctor id with the status unavailable*)
  5. send request
  6. Appointment booked with doctor, regardless of their status being "unavailable" or not.

This can be tested with many drId, since it's an easily guessable single digit numeric value.

Getting a doctor with status unavailable

For testing purposes, access the doctor dashboard and set any doctor with the status = unavailable. grab the drId from the url.

i.e., https://0a71d31af52a-lumbridge7.a.firstbloodhackers.com/drpanel/edit-doctor.php?id=4

id=4 is the drId we'll use to book the appointment.

POC

Impact

Anyone can book appointments with Unavailable doctors.

P4 Low

Endpoint: /book-appointment.php

Parameter: drId

Payload: null


FirstBlood ID: 67
Vulnerability Type: Application/Business Logic

It is possible to book an unavailable doctor

Report Feedback

@zseano

Creator & Administrator


Congratulations, you were the second to report this! It's fully intended though to be able to choose a doctor to book via the /doctors.php endpoint. It will let you select a doctor to book and it isn't a hidden parameter :-)