FirstBlood-#272PII Data of the All patient's were Publicly Accessible
This issue was discovered on FirstBlood v1

On 2021-05-15, netmous3 Level 4 reported:


Due to the easily guessable patient's unique id aptID, all the Firstbloodhacer patient's personally identifiable information was leaked to the public.

Internal API function used to retrieve the appointment details of the patients for managing them later was not employed any of the authentications. Although it originally used the complex aptid value for query the patient's information, it accepting the short aptID value which easily guessable and allow the attacker to retrieve all the patients complex aptid value with a little effort. Using the Manage Appointment functionality of the web application, all the available PII could be retrieved by entering the extracted aptid values from above.

Steps To Reproduce:
  1. Create a new appointment and record the aptID value assigning.

  2. Visit the Manage Appointment page and use the recorded aptID value to retrieve the information.

  3. Observe the back-end API request made to retrieve the patient data from the database.

  4. Send the back-end API request to the burp intruder and set the payloads as below. Set the payload position for id Payload type: Numbers From: 56910000 To: 56911999 Step: 1

  5. Observe the results and record all the successfully retrieving aptid values.

  6. Use the recorded aptid values to the patient's PII data using the web app Manage Appointment functionality.


The leak of the patient's PII data could damage the business image of the company and be in violations of data protection regulations such as GDPR.

Refer below for the burp intruder setup.

P2 High

Endpoint: /api/qa.php

Parameter: id

Payload: Numbers from 56910000 to 56911999

FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.