FirstBlood-#10 — Viewing/Cancelling anyone's appointment
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, th4nu0x0 reported:
On http://firstbloodhackers.com/ users can create an appointment and the user gets the appointment id which can be further used to cancel or view their appointment. Even though the appointment id is cryptic entering a normal numerical id of the appointment gives the details of the appointment and also allows to edit/cancel the appointment, so an attacker can guess the numerical id and view personal information, modify appointment and cancel appointment.
Steps to reproduce:
- Visit http://firstbloodhackers.com:49211/book-appointment.html and book an appointment, You'll get an appointment id back.
- Login to your admin account and visit the Admin dashboard > Click on the appointment you made > intercept the request (You'll see a normal integer id is used to fetch the information copy the id).
- Now go to mange appointment and Enter the encrypted id on the box and intercept the request through the proxy and then change the value of
id to the normal integer id.
- You'll be redirected to the appointment page where you can view/modify/cancel the appointment.
Since the numerical id can be easily guessed an attacker can use this to view/cancel/modify other users appointment.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 5
Vulnerability Type: IDOR
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.
Creator & Administrator
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.