FirstBlood-#142IDOR on newly registered doctor

On 2021-05-10, codersanjay reported:

A newly registered doctor cannot see the patients info in general,

but with aptid known or randomly guessing, he can still get the patients info by just sending a GET request to


PII leak


Endpoint: /drpanel/drapi/query.php

Parameter: aptid=56911019

Payload: aptid=56911019

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.

Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.