FirstBlood-#270Email id can be modified for a patient

On 2021-05-15, d20s84 reported:

Summary: Modifying the email id of a patient has been commented out yet the server accepts the email= parameter.


  1. Go to Manage appointments.
  2. Click on modify button and intercept the request.
  3. Add an extra parameter email={value}. Make sure Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 ; header is set . Use the image below for references
  4. Forward the request and boom !!! the email has been changed .

POC : Before:


P2 High

Endpoint: /api/ma.php

Parameter: email=

Payload: -

FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.