FirstBlood-#130 — It is possible to view patient's data as a new doctor
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello Zseano! I found a business logic error on /drpanel/drapi/query.php and as a normal doctor, I was able to read any patient's personal data. Normally, this should not be possible for new doctors
Steps to reproduce
- Create a new account on
/register.php
- Next, navigate to
/drpanel/drapi/query.php?aptid=56911019. The ID can be obtained by either logging in as an administrator or by bruteforcing the value. The first 4 digits look to be static and do not change, so only the last 4 can or need to be bruteforced.
- After the page loaded, we can easily read the personal date of Mrs Melissa White.
Impact
I was able to view patient's personal data as a new doctor
Thanks a lot for the fun challenge! Have a nice day!
P1 CRITICAL
Endpoint: /drpanel/drapi/query.php
Parameter: aptid
Payload: 56911019
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.