FirstBlood-#272 — PII Data of the Fistbloodhacker.com All patient's were Publicly Accessible
This issue was discovered on FirstBlood v1
On 2021-05-15, netmous3 reported:
Due to the easily guessable patient's unique id
aptID, all the Firstbloodhacer patient's personally identifiable information was leaked to the public.
Internal API function used to retrieve the appointment details of the patients for managing them later was not employed any of the authentications.
Although it originally used the complex
aptid value for query the patient's information, it accepting the short aptID value which easily guessable and allow the attacker to retrieve all the patients complex
aptid value with a little effort.
Manage Appointment functionality of the web application, all the available PII could be retrieved by entering the extracted
aptid values from above.
Steps To Reproduce:
Create a new appointment and record the
aptID value assigning.
Manage Appointment page and use the recorded
aptID value to retrieve the information.
Observe the back-end API request made to retrieve the patient data from the database.
Send the back-end API request to the burp intruder and set the payloads as below.
Set the payload position for
Payload type: Numbers
Observe the results and record all the successfully retrieving
Use the recorded
aptid values to the patient's PII data using the web app
Manage Appointment functionality.
The leak of the patient's PII data could damage the business image of the company and be in violations of data protection regulations such as GDPR.
Refer below for the burp intruder setup.
Numbers from 56910000 to 56911999
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.