FirstBlood-#10 — Viewing/Cancelling anyone's appointment
This issue was discovered on FirstBlood v1.0.0
On 2021-05-09, th4nu0x0 Level 2 reported:
On http://firstbloodhackers.com/ users can create an appointment and the user gets the appointment id which can be further used to cancel or view their appointment. Even though the appointment id is cryptic entering a normal numerical id of the appointment gives the details of the appointment and also allows to edit/cancel the appointment, so an attacker can guess the numerical id and view personal information, modify appointment and cancel appointment.
Steps to reproduce:
- Visit http://firstbloodhackers.com:49211/book-appointment.html and book an appointment, You'll get an appointment id back.
- Login to your admin account and visit the Admin dashboard > Click on the appointment you made > intercept the request (You'll see a normal integer id is used to fetch the information copy the id).
- Now go to mange appointment and Enter the encrypted id on the box and intercept the request through the proxy and then change the value of
idto the normal integer id.
- You'll be redirected to the appointment page where you can view/modify/cancel the appointment.
Since the numerical id can be easily guessed an attacker can use this to view/cancel/modify other users appointment.
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.