FirstBlood-#58 — Aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-09, 0xconft reported:
The http://firstbloodhackers.com:49276/api/qa.php can be used to leak user's Appointment data by simply bruteforcing the id parameter of that endpoint. Attacker can validate the correct id by simply grepping response that contain "success" word. I also noticed the aptid start from 56910000 which can be used to makes the bruteforcing process faster
PoC where id 56911356 will return aptid of john smith (294b1ccb-de2f-4685-821a-9e4d26009b44 )
POST /api/qa.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Sun, 09 May 2021 18:16:17 GMT
Content-Type: text/html; charset=UTF-8
This report has been publicly disclosed for everyone to view
XXXXXXXX where each X is decimal number
FirstBlood ID: 5
Vulnerability Type: IDOR
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.