FirstBlood-#48[IDOR] Modifying anyone's Appointment information



On 2021-05-09, th4nu0x0 reported:

Summary:

  • On firstbloodhackers.com when a user books an Appointment he is only allowed to change Comment's but by adding the email parameter to the post request it is possible to change the email of the appointment.

  • While modifying appointment unique aptid (81b89f14-fd60-47ab-81fd-197b72a43f7e) is used as the identity but normal numerical id (56912589) is also working which can be easily guessed.

  • So by combining these two an attacker can modify other users appointment's Email and Comments.

Steps To Reproduce:

  1. Create two Appointments and save the id's.
  2. Login to your admin account, On dashboard you can see the appointments made click 1st appointment and intercept the request there you'll see the numerical id copy it.
  3. Now visit Manage appointment and enter the 2nd appointment id (eg. 81b89f14-fd60-47ab-81fd-197b72a43f7e)
  4. Now click Modify appointment and intercept the request and add post parameter [email protected] and change the id to the numerical id of 1st appointment.
  5. Now check the 1st appointment you'll see this comment and email there.

Impact:

Since the numerical can be easily guessed an attacker can use this to modify other users Appointment's email and comments.

P2 High

Endpoint: /api/ma.php

Parameter: id

Payload: {user-id}


FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.