FirstBlood-#127 — IDOR on ma.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, jpdev reported:
The manage appointments API allows for the use of interger values by capturing the request within burp and amending the guid to its interger id. This ID can be found on the index page of the drpanel within the source of the page within the getinfo function call.
POST /api/ma.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
A melicious user can now use BURP intruder to amend all appointments removing potentially key notes.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 6
Vulnerability Type: IDOR
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.