FirstBlood-#20Enumerating PII.



On 2021-05-09, mava reported:

[COLLAB]
Hi Barker-Team,
@sehno and me found a vulnerability which allows to enumerate PII.

Summary

An attacker can craft a cookie and enumerate PII using a tool like intruder.
Normally the appointments are referenced by hashes, but this endpoint will show the PII for numeric values,
which can be enumerated once an attacker is authorized. (See https://www.bugbountyhunter.com/hackevents/report?id=25)

PoC

  1. Base64 encode {"doctorAuth":authed} which will give you the value eyJkb2N0b3JBdXRoIjphdXRoZWR9.
  2. Add the value as a new cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9.
  3. Visit http://firstbloodhackers.com:49210/drpanel/drapi/query.php?aptid=56910819 and see the PII:
  4. Use a tool like Intruder to enumerate all possible aptid values: (here a little example of 100 Id's):

Impact

This Vulnearbility potentially exposes alot of PII to an attacker.

Fix

Implement a safer cookie mechanism and aptIds must be Hashes not numbers

Kind regards,
Sehno, Max

p.s.: Sorry I could not edit the title, we would split 50/50.

P1 CRITICAL

Endpoint: drpanel/drapi/query.php

Parameter: aptid=56910819

Payload: 56910819


FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.