FirstBlood-#235A Doctor can cancel patient's appointments
This issue was discovered on FirstBlood v1

On 2021-05-14, twsec Level 2 reported:

after navigating through the web-app we learn that a patient can book his appointment and get a unique random ID for it. This random ID is unguessable. after we create an appointment we notice that the patient can modify his appointment or even cancel it. this is the image for creating an appointment

this is the image for cancelling an appointment

now after we login using the Dradmin credentials and enter the drpanel we can view the appointments and the cancelled ones as well, but we cannot cancel patient's appointment or (can we ? ) . we notice that when we click on a patient's name we get a popup with the details of that patient's appointment; but because we are curious and we like to know what's happening behind the scenes we open up inspector element and check what's happening.

and the getinfo(number) gets our attention , there's a number and diving deeper into it we find that the getinfo function is actually using the drapi/query.php?aptid='aptid', and the normal user is using the /api/qa.php api to retrieve his appointment id details now what if we insert the id from the Drpanel into the normal retrieve appointment screen

it tells us that it's invalid, but what if we enter it inside the qa.php API

now we get the original ID the patient gets when booking his appointment

now we take that id (the long string) and enter it inside the retrieve app or through the ma.php API and cancel the appointment

and that's how a doctor can cancel patient's appointments.

P2 High

Endpoint: /api/qa.php

Parameter: id found in drpanel

Payload: just switch the id from drpanel into the /api/qa.php

FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.