FirstBlood-#1670 — Unauthenticated user is able to change a doctors profile
This issue was discovered on FirstBlood v3
On 2022-12-13, didsec Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there
I found it is possible for a unauthenticated user to edit a doctors profile via a api call to /api/managedoctors.php
To reproduce :
- Visit
firstbloodhackers.com/api/managedoctors.php and intercept the request
- Change the request to a
PUT request
- Add the following JSON to the data and forward the request
{"name": "Edited",
"bio":"More editing here",
"tagline":"Even more editing here",
"drId":"1"
}
Image before editing
As you can see the doctors information has been changed
Image after editing
P2 High
FirstBlood ID: 75
Vulnerability Type: Access_control
An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint