FirstBlood-#813 — Appointment data can still be modified when upon adding a cookie
This issue was discovered on FirstBlood v2
On 2021-10-28, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi! I can see that users are still allowed to modify more data than they actually should be able to modify by just adding a cookie to their request.
Steps to reproduce:
- First of all, navigate to
/book-appointment.php and fill in all the required fields. Click on Book Appointment.
- Next, copy your appointment ID and go to
/yourappointments.php. Paste in the ID in the appointment ID field and click on Retrieve Appointment.
- Now click on Modify Appointment and intercept this request. Add the following cookie:
doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 and for example edit the email-address.
- Forward the request and go back to your appointment. You'll see that the email-address has changed.
Thanks!
Kind regards,
0xblackbird
P3 Medium
Endpoint: /api/ma.php
Parameter: fName, lName, email, ...
Payload: N/A
FirstBlood ID: 33
Vulnerability Type: Application/Business Logic
Our mistake: We did not intentionally leave the code to change emails if the correct values were set, however it created interesting results because most discovered this but missed bug ID 20 and 21 and whilst it was not possible to modify via integer, if the ID was known it would still work.