FirstBlood-#183 — GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR
This issue was discovered on FirstBlood v1
On 2021-05-11, 0xblackbird Level 5 reported:
Hello! I found out the GUUID can be replaced by a regular ID which actually makes it vulnerable to insecure direct object reference.
Steps to reproduce
- Create an appointment. To do so, visit
/book-appointment.htmland fill in the required fields.
- Next, navigate to
/manageappointment.phpand paste in your GUUID.
- Now click on Modify Appointment and intercept the request.
- Simply replace the GUUID with the ID. You can obtain the ID by signing in as drAdmin and inspecting your name.
- Forward the request and paste your GUUID again in the field.
- You'll notice that the comments secion has changed. This indicates that it worked and that the id parameter is vulnerable to idor
The id parameter accepts 2 types of ID's, regular ID's (8-digit number) and GUUID's. The 8-digits number is likely to be more guessable than the GUUID and thus is vulnerable to IDOR.
Kind regards, 0xblackbird
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.