FirstBlood-#142IDOR on newly registered doctor



On 2021-05-10, codersanjay reported:

A newly registered doctor cannot see the patients info in general,

but with aptid known or randomly guessing, he can still get the patients info by just sending a GET request to

http://firstbloodhackers.com:49432/drpanel/drapi/query.php?aptid=56911019

Impact

PII leak

P1 CRITICAL

Endpoint: /drpanel/drapi/query.php

Parameter: aptid=56911019

Payload: aptid=56911019


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.