FirstBlood-#270Email id can be modified for a patient
This issue was discovered on FirstBlood v1

On 2021-05-15, d20s84 Level 3 reported:

Summary: Modifying the email id of a patient has been commented out yet the server accepts the email= parameter.


  1. Go to Manage appointments.
  2. Click on modify button and intercept the request.
  3. Add an extra parameter email={value}. Make sure Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 ; header is set . Use the image below for references
  4. Forward the request and boom !!! the email has been changed .

POC : Before:


P2 High

Endpoint: /api/ma.php

Parameter: email=

Payload: -

FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.