FirstBlood-#183GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR



On 2021-05-11, 0xblackbird reported:

Hello! I found out the GUUID can be replaced by a regular ID which actually makes it vulnerable to insecure direct object reference.

Steps to reproduce

  • Create an appointment. To do so, visit /book-appointment.html and fill in the required fields.
  • Next, navigate to /manageappointment.php and paste in your GUUID.
  • Now click on Modify Appointment and intercept the request.
  • Simply replace the GUUID with the ID. You can obtain the ID by signing in as drAdmin and inspecting your name.
  • Forward the request and paste your GUUID again in the field.
  • You'll notice that the comments secion has changed. This indicates that it worked and that the id parameter is vulnerable to idor

Impact

The id parameter accepts 2 types of ID's, regular ID's (8-digit number) and GUUID's. The 8-digits number is likely to be more guessable than the GUUID and thus is vulnerable to IDOR.

Kind regards, 0xblackbird

P2 High

Endpoint: /api/ma.php

Parameter: id

Payload: 56910219


FirstBlood ID: 6
Vulnerability Type: IDOR

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.