FirstBlood-#1198 — Modifying appointment
This issue was discovered on FirstBlood v3
On 2022-12-08, pichik Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi,
as you create new appointment, you can visit it at /manageappointment.php?success&aptid=[id].
It says 'Modify Appointment', but user cant really modify anything, just cancel it, so user shouldnt be able to modify it.
And its still possible to modify it after cancellation.
But if you click on cancel and intercept the request, there will be new headers coming with request.
These headers are:
Apptid - appointment idDob - date of birthName - your name x-site-req: permitted - required for this request
Didnt find any use of Apptid header, but if you edit dob and name headers, they will be changed in appointment.
HERE IS POC SCREEN:
Not sure if this has any impact on its own, but as there is no options to change these values for the user, it should not be possible.
Hopefully find better impact for this soon.
P4 Low
Endpoint: /api/ma.php
Parameter: Name/Dob Headers
Payload: change
FirstBlood ID: 49
Vulnerability Type: Application/Business Logic
Users can modify their name/dob via the header parameters on modify-appointment.php despite this being restricted on the web application
Report Feedback
Creator & Administrator
Congratulations, you were the first to discover this!