FirstBlood-#1028 — Business logic allows to book appointments with unavailable doctors
This issue was discovered on FirstBlood v3
On 2022-12-08, lumbridge7 Level 4 reported:
Hello firstblood team! I've found a business logic flaw in the "Book Appointment" feature.
Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.
By using a hidden parameter in the book-appointment page, it is possible to choose the doctor. This shouldn't be an available option, since it is not part of the form.
By abusing this parameter, we can even book "unavailable" doctors.
Steps to reproduce
- proxy requests through burp suite
- go to https://0a71d31af52a-lumbridge7.a.firstbloodhackers.com/book-appointment.php
- fill the form, intercept request and click on "book appointment" to trigger the POST request
- add to the body of the request the param "drId=1" (or any other doctor id with the status unavailable*)
- send request
- Appointment booked with doctor, regardless of their status being "unavailable" or not.
This can be tested with many drId, since it's an easily guessable single digit numeric value.
Getting a doctor with status unavailable
For testing purposes, access the doctor dashboard and set any doctor with the status = unavailable. grab the
drIdfrom the url.
drIdwe'll use to book the appointment.
Anyone can book appointments with Unavailable doctors.
FirstBlood ID: 67
Vulnerability Type: Application/Business Logic
It is possible to book an unavailable doctor
Creator & Administrator
Congratulations, you were the second to report this! It's fully intended though to be able to choose a doctor to book via the /doctors.php endpoint. It will let you select a doctor to book and it isn't a hidden parameter :-)