FirstBlood-#272 — PII Data of the Fistbloodhacker.com All patient's were Publicly Accessible
This issue was discovered on FirstBlood v1.0.0
On 2021-05-15, netmous3 reported:
Due to the easily guessable patient's unique id
aptID, all the Firstbloodhacer patient's personally identifiable information was leaked to the public.
Internal API function used to retrieve the appointment details of the patients for managing them later was not employed any of the authentications. Although it originally used the complex
aptidvalue for query the patient's information, it accepting the short aptID value which easily guessable and allow the attacker to retrieve all the patients complex
aptidvalue with a little effort. Using the
Manage Appointmentfunctionality of the web application, all the available PII could be retrieved by entering the extracted
aptidvalues from above.
Steps To Reproduce:
Create a new appointment and record the
Manage Appointmentpage and use the recorded
aptIDvalue to retrieve the information.
Observe the back-end API request made to retrieve the patient data from the database.
Send the back-end API request to the burp intruder and set the payloads as below. Set the payload position for
idPayload type: Numbers From: 56910000 To: 56911999 Step: 1
Observe the results and record all the successfully retrieving
Use the recorded
aptidvalues to the patient's PII data using the web app
The leak of the patient's PII data could damage the business image of the company and be in violations of data protection regulations such as GDPR.
Refer below for the burp intruder setup.
Numbers from 56910000 to 56911999
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.