FirstBlood-#183 — GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR
This issue was discovered on FirstBlood v1
On 2021-05-11, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello! I found out the GUUID can be replaced by a regular ID which actually makes it vulnerable to insecure direct object reference.
Steps to reproduce
- Create an appointment. To do so, visit
/book-appointment.html and fill in the required fields.
- Next, navigate to
/manageappointment.php and paste in your GUUID.
- Now click on Modify Appointment and intercept the request.
- Simply replace the GUUID with the ID. You can obtain the ID by signing in as drAdmin and inspecting your name.
- Forward the request and paste your GUUID again in the field.
- You'll notice that the comments secion has changed. This indicates that it worked and that the id parameter is vulnerable to idor
Impact
The id parameter accepts 2 types of ID's, regular ID's (8-digit number) and GUUID's. The 8-digits number is likely to be more guessable than the GUUID and thus is vulnerable to IDOR.
Kind regards,
0xblackbird
P2 High
Endpoint: /api/ma.php
Parameter: id
Payload: 56910219
FirstBlood ID: 6
Vulnerability Type: Insecure direct object reference
The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.