FirstBlood-#183 — GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, 0xblackbird reported:
Hello! I found out the GUUID can be replaced by a regular ID which actually makes it vulnerable to insecure direct object reference.
Steps to reproduce
- Create an appointment. To do so, visit
/book-appointment.html and fill in the required fields.
- Next, navigate to
/manageappointment.php and paste in your GUUID.
- Now click on Modify Appointment and intercept the request.
- Simply replace the GUUID with the ID. You can obtain the ID by signing in as drAdmin and inspecting your name.
- Forward the request and paste your GUUID again in the field.
- You'll notice that the comments secion has changed. This indicates that it worked and that the id parameter is vulnerable to idor
The id parameter accepts 2 types of ID's, regular ID's (8-digit number) and GUUID's. The 8-digits number is likely to be more guessable than the GUUID and thus is vulnerable to IDOR.
This report has been publicly disclosed for everyone to view
FirstBlood ID: 6
Vulnerability Type: IDOR
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.