FirstBlood-#58Aptid enumeration via can be used to leak Appointment data
This issue was discovered on FirstBlood v1

On 2021-05-09, 0xconft Level 5 reported:

Hi there,

The can be used to leak user's Appointment data by simply bruteforcing the id parameter of that endpoint. Attacker can validate the correct id by simply grepping response that contain "success" word. I also noticed the aptid start from 56910000 which can be used to makes the bruteforcing process faster

PoC where id 56911356 will return aptid of john smith (294b1ccb-de2f-4685-821a-9e4d26009b44 )


POST /api/qa.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Connection: close



HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:16:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 73


Best Regards, 0xconft

P2 High

Endpoint: /api/qa.php

Parameter: id

Payload: XXXXXXXX where each X is decimal number

FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.