FirstBlood-#75IDOR in aptid which grants access to every appointment



On 2021-05-09, pichik reported:

Description

Hi,
this is similiar to report FirstBlood-#16, but with a little bit different approach.

This one will work in http://firstbloodhackers.com/yourappointments.php. But we need to create request with burp, as original request wont pass because it require '-' in ID parameter. So by adding '-' to input field and click to retrieve appointment and catching POST request to /api/qa.php with burp,
we can change body parameter id to any existing appointment in this format: 5691**** and response will contain url with aptid accessible by every user

POC:


By visiting this link we get access to that appointment

Impact

Impact is critical as an attacker can see every appointment, changing email, messages and cancel it as well

P2 High

Endpoint: /api/qa.php

Parameter: id

Payload: 5691****


FirstBlood ID: 5
Vulnerability Type: IDOR

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.