FirstBlood-#260 — [COLLAB] Query appointment with simple ID / Bypass front end restriction
On 2021-05-15, jomar reported:
As for the other reports this one is created in collaboration with Serizao.
I had initially not submitted this report because I thought it was the same root cause as report #46, but after a second check there is one thing that differs and so I created a new report.
However, if you look at the code of the page
The circled part corresponds to a small client-side check to verify that the submitted ID contains a pull, it sort of verifies that it matches the expected format, i.e. something like
However, if we play the request directly into burp suite, this check will not be performed and it is therefore possible to submit anything. At this point an XHR query will be performed and will display the response if it is valid otherwise "Invalid appoitment ID!"
It is therefore also possible to submit here the reservation number with a simple ID which will be mapped to its complex equivalent.
For ex, the simple ID
56911356correspond to the complexe ID
- It is therefore possible to access another user's reservation by iterating on the ID and also to modify/cancel his reservation.
- With this bug, it is also possible to obtain the stored XSS through the message parameter on the admin panel via the reservation of another user (cf bug #208
- Do not limit yourself to a client-side verification and also perform a server-side verification
- Try to use as much complex IDs (GUID) as possible as in the user part and do not map between a "simple" ID and a "complex" ID
- If possible add a second factor to validate that the reservation belongs to the user (such as validating the date of birth)
- Set up a system of request limit or captcha (recaptchav3 for example) in order to limit abusive requests
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.