FirstBlood-#58Aptid enumeration via can be used to leak Appointment data

On 2021-05-09, 0xconft reported:

Hi there,

The can be used to leak user's Appointment data by simply bruteforcing the id parameter of that endpoint. Attacker can validate the correct id by simply grepping response that contain "success" word. I also noticed the aptid start from 56910000 which can be used to makes the bruteforcing process faster

PoC where id 56911356 will return aptid of john smith (294b1ccb-de2f-4685-821a-9e4d26009b44 )


POST /api/qa.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Connection: close



HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:16:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 73


Best Regards, 0xconft

P2 High

Endpoint: /api/qa.php

Parameter: id

Payload: XXXXXXXX where each X is decimal number

FirstBlood ID: 5
Vulnerability Type: IDOR

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.

Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.