Adding cookie to the request allows us to modify way more data then allowed

FirstBlood-#172 — Adding cookie to the request allows us to modify way more data then allowed
This issue was discovered on FirstBlood v1

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-05-11, 0xblackbird Level 5 reported:


Hello Zseano! I found an business logic error that allowed me to edit more than only my message after making an appointment. All we need to do this is use a cookie called doctorAuthed which is basically a base64 encoded JSON object.
Steps to reproduce

First of all, we have to make an appointment, to do so, visit /book-appointment.html and fill in all the required fields.



Click on Book appointment and copy your AppointmentID.

Next, simply go to /yourappointments.php and paste in your AppointmentID and retrieve your appointment.



Now normally, you should only be able to modify the extra comments section but we can actually modify anything by just manually appending a cookie to our request. To do so, click on Modify Appointment and intercept the request + send it to Repeater.




Now, by just making this request, it won't change anything at all.




But if we were to add the following cookie to our request, then it should change our email-address: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9



And it did :D!


Impact
I was able to change other details and completely bypass the application logic.
Kind regards,
0xblackbird

This report has been publicly disclosed for everyone to view

P2 High

Endpoint: /api/ma.php

Parameter: fName, lName, email, ...

Payload: N/A

FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.

BugBountyHunter

Steps to reproduce

Impact