FirstBlood-#1432Book non-bookable doctors in appointment
This issue was discovered on FirstBlood v3

On 2022-12-10, ayush1098 Level 8 reported:

Hello Team,


On doctors.php endpoint, we can see that we can only book some doctors(who are bookable) but after reading the source code, I found this piece of code:

       if (window.location.hash) {

        var urlParams = new URLSearchParams(window.location.hash.replace("#","?"));
        var drHash = urlParams.get('doctor');
            document.getElementById("drId").value = drHash;
           // history.pushState('', '', '/book-appointment.html')
            history.pushState('', '', '/book-appointment.php')

So instead of relying on UI, I visited the

Note: The doctor with id=1 is not bookable

And to be surprised, I was able to book appointments with this doctor.

Steps To Reproduce:

  1. Visit the

  2. Book the appointment.

view your appointment and the Julie is booked as a doctor.

Thanks & Regards

Ayush Singh

P4 Low

Endpoint: /book-appointment.php

Parameter: doctor

Payload: NA

FirstBlood ID: 67
Vulnerability Type: Application/Business Logic

It is possible to book an unavailable doctor