FirstBlood-#142IDOR on newly registered doctor
This issue was discovered on FirstBlood v1

On 2021-05-10, codersanjay Level 3 reported:

A newly registered doctor cannot see the patients info in general,

but with aptid known or randomly guessing, he can still get the patients info by just sending a GET request to


PII leak


Endpoint: /drpanel/drapi/query.php

Parameter: aptid=56911019

Payload: aptid=56911019

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.