FirstBlood-#10 — Viewing/Cancelling anyone's appointment
This issue was discovered on FirstBlood v1
On 2021-05-09, th4nu0x0 Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
On http://firstbloodhackers.com/ users can create an appointment and the user gets the appointment id which can be further used to cancel or view their appointment. Even though the appointment id is cryptic entering a normal numerical id of the appointment gives the details of the appointment and also allows to edit/cancel the appointment, so an attacker can guess the numerical id and view personal information, modify appointment and cancel appointment.
Steps to reproduce:
- Visit http://firstbloodhackers.com:49211/book-appointment.html and book an appointment, You'll get an appointment id back.
- Login to your admin account and visit the Admin dashboard > Click on the appointment you made > intercept the request (You'll see a normal integer id is used to fetch the information copy the id).
- Now go to mange appointment and Enter the encrypted id on the box and intercept the request through the proxy and then change the value of
id to the normal integer id.
- You'll be redirected to the appointment page where you can view/modify/cancel the appointment.
Impact:
Since the numerical id can be easily guessed an attacker can use this to view/cancel/modify other users appointment.
P2 High
Endpoint: POST /api/qa.php
Parameter: id
Payload: {appoinment-id}
FirstBlood ID: 5
Vulnerability Type: Insecure direct object reference
The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted.
Report Feedback
Creator & Administrator
Nice find ! :)