FirstBlood-#10Viewing/Cancelling anyone's appointment



On 2021-05-09, th4nu0x0 reported:

Summary:

On http://firstbloodhackers.com/ users can create an appointment and the user gets the appointment id which can be further used to cancel or view their appointment. Even though the appointment id is cryptic entering a normal numerical id of the appointment gives the details of the appointment and also allows to edit/cancel the appointment, so an attacker can guess the numerical id and view personal information, modify appointment and cancel appointment.

Steps to reproduce:

  1. Visit http://firstbloodhackers.com:49211/book-appointment.html and book an appointment, You'll get an appointment id back.
  2. Login to your admin account and visit the Admin dashboard > Click on the appointment you made > intercept the request (You'll see a normal integer id is used to fetch the information copy the id).

  1. Now go to mange appointment and Enter the encrypted id on the box and intercept the request through the proxy and then change the value of id to the normal integer id.

  1. You'll be redirected to the appointment page where you can view/modify/cancel the appointment.

Impact:

Since the numerical id can be easily guessed an attacker can use this to view/cancel/modify other users appointment.

P2 High

Endpoint: POST /api/qa.php

Parameter: id

Payload: {appoinment-id}


FirstBlood ID: 5
Vulnerability Type: IDOR

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.

Report Feedback

@zseano

Creator & Administrator


Nice find ! :)


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.