FirstBlood-#193Application Logic allowing access to unauthorised information belonging to patients
This issue was discovered on FirstBlood v1

On 2021-05-11, c3phas Level 4 reported:


Hi, I found an Application logic Issue on firstbloodhackers that enables an unauthorized doctor to search for patients info


After successfully creating an account as a doctor, once logged in I found that it had limited access and had no authorization to view patients information.

Seeing this i Knew it was asking for trouble and i was in for it :)

When searching for a patient an endpoint /drpanel/drapi/qp.php is used i.e if logged in with an admin account.

On viewing the source code of the account logged in as a normal doctor, i noticed the function findpatient() had no logic, just an alert saying i do not have the permissions.

 function findPatient() {

                alert("As your account is new you are unable to search for patients.");

On the other hand the admin account had a different implementation

function findPatient() {

                var patientName = document.getElementById("patient_name").value;

        var xhr = new XMLHttpRequest();"POST", 'drapi/qp.php', true);
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

        xhr.onreadystatechange = function() {
            if (this.readyState === XMLHttpRequest.DONE && this.status === 200) {
                document.getElementById("patientresp").innerHTML = this.responseText;
                } else {



Notice the endpoint being hit here drapi/qp.php

Seeing this I knew i was on to something, Logged in on the account without enough permissions and crafted a POST request on burpsuite hitting the endpoint drapi/qp.php using this users cookies and voila I got the results

Steps to reproduce

  1. Register an account as a doctor and login(refer to my previous report on how to register an account)

  2. Intercept the request to get the users session cookies

  3. On burpsuite craft a request with a POST request as below

          POST /drpanel/drapi/qp.php HTTP/1.1
          Accept-Language: en-US,en;q=0.9
          Cookie: drps=1e14e77da1c072d19530aebeb

  1. Send the request and notice the response now contains the patients information

Supporting Material


Doctors without permission can be able to access information they shouldn't be accessing


Endpoint: /drpanel/drapi/qp.php

Parameter: NA

Payload: NA

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.