FirstBlood-#127IDOR on ma.php

On 2021-05-10, jpdev reported:


The manage appointments API allows for the use of interger values by capturing the request within burp and amending the guid to its interger id. This ID can be found on the index page of the drpanel within the source of the page within the getinfo function call.


POST /api/ma.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 24
DNT: 1
Connection: close
Cookie: drps=62f02a3467fff377e02116e10



A melicious user can now use BURP intruder to amend all appointments removing potentially key notes.

P2 High

Endpoint: /api/ma.php

Parameter: id=

Payload: 56911904

FirstBlood ID: 6
Vulnerability Type: IDOR

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.