FirstBlood-#194IDOR found on /api/ma.php
This issue was discovered on FirstBlood v1



On 2021-05-11, rintox Level 3 reported:

Summary

An attacker can modify any appointment "Extra Comments" without needing to know the GUID value.

Steps to reproduce

  1. Create an appointment, grab the GUID and then go to /manageappointment.php?success&aptid=<GUID>
  2. Try to modify your appointment by adding some new text in the extra comments. Then click on the modify button. Send that request to Repeater

  1. Notice the POST request has 2 parameters. As you can see, the id has the value of the unguessable GUID. (Or is it?)
  2. As an admin doctor, go to the main dashboard and find the appointment. Click on the name and notice the request in Burp.

  1. Notice that it's making a request with an interesting parameter called aptid. In this case the appointment is 56917795.
  2. Go to Repeater and modify the message parameter into something else. Then change the value of id to this new value 56917795

  1. Now reload the endpoint /manageappointment.php?success&aptid=<GUID> and notice the comments have been modified.

Note. While studying the application and making requests to query.php, you will notice a pattern: All aptid start with 5691XXXX

This means that all a hacker needs to know, or in this case guess, are the last 4 digits. With a simple script, the hacker can modify all users comments from their appointments.

Impact

While GUIDs are unguessable and unpredictable, the application still allows appointments to be modified by using an int value from aptid. This means that an attacker can change all comments from all users with a simple script, misleading the doctors about the issues a patient has.

P2 High

Endpoint: /api/ma.php

Parameter: id

Payload: NA


FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.