FirstBlood-#20Enumerating PII.
This issue was discovered on FirstBlood v1

On 2021-05-09, mava Level 2 reported:

Hi Barker-Team,
@sehno and me found a vulnerability which allows to enumerate PII.


An attacker can craft a cookie and enumerate PII using a tool like intruder.
Normally the appointments are referenced by hashes, but this endpoint will show the PII for numeric values,
which can be enumerated once an attacker is authorized. (See


  1. Base64 encode {"doctorAuth":authed} which will give you the value eyJkb2N0b3JBdXRoIjphdXRoZWR9.
  2. Add the value as a new cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9.
  3. Visit and see the PII:
  4. Use a tool like Intruder to enumerate all possible aptid values: (here a little example of 100 Id's):


This Vulnearbility potentially exposes alot of PII to an attacker.


Implement a safer cookie mechanism and aptIds must be Hashes not numbers

Kind regards,
Sehno, Max

p.s.: Sorry I could not edit the title, we would split 50/50.


Endpoint: drpanel/drapi/query.php

Parameter: aptid=56910819

Payload: 56910819

FirstBlood ID: 11
Vulnerability Type: Application/Business Logic

Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.