FirstBlood-#14 — The patient email can be changed even though the application UI mentioned that this is not allowed.
This issue was discovered on FirstBlood v1
On 2021-05-09, bobbylin Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
I managed to change the patient email in the appointment even though this is not allowed by the application.
First, we test all the parameters that is not allowed to be changed.
The patient email appears to be changeable by the patient.
The impact is that if the appointment id is stolen by an attacker, he can change the email to his own email and hijack the correspondence with the hospital.
P2 High
Endpoint: http://firstbloodhackers.com:49219/manageappointment.php
Parameter: email
Payload: changed
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.
Report Feedback
Creator & Administrator
Nice find bobbylin :)