FirstBlood-#194 — IDOR found on /api/ma.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, rintox Level 3 reported:
An attacker can modify any appointment "Extra Comments" without needing to know the GUID value.
Steps to reproduce
- Create an appointment, grab the GUID and then go to /manageappointment.php?success&aptid=<GUID>
- Try to modify your appointment by adding some new text in the extra comments. Then click on the modify button. Send that request to Repeater
- Notice the POST request has 2 parameters. As you can see, the id has the value of the unguessable GUID. (Or is it?)
- As an admin doctor, go to the main dashboard and find the appointment. Click on the name and notice the request in Burp.
- Notice that it's making a request with an interesting parameter called
aptid. In this case the appointment is 56917795.
- Go to Repeater and modify the message parameter into something else. Then change the value of
idto this new value
- Now reload the endpoint /manageappointment.php?success&aptid=<GUID> and notice the comments have been modified.
Note. While studying the application and making requests to query.php, you will notice a pattern: All aptid start with 5691XXXX
This means that all a hacker needs to know, or in this case guess, are the last 4 digits. With a simple script, the hacker can modify all users comments from their appointments.
While GUIDs are unguessable and unpredictable, the application still allows appointments to be modified by using an int value from
aptid. This means that an attacker can change all comments from all users with a simple script, misleading the doctors about the issues a patient has.
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.