FirstBlood-#246 — Idor
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-14, prob_hakz reported:
fetching aptid values
POST /api/qa.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Encoding: gzip, deflate
In the above request bruteforce the last six values to leak the aptid of the appointment
able to see third party appointments with uuid
This report has been publicly disclosed for everyone to view
FirstBlood ID: 5
Vulnerability Type: IDOR
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.