FirstBlood-#172 — Adding cookie to the request allows us to modify way more data then allowed
This issue was discovered on FirstBlood v1.0.0
On 2021-05-11, 0xblackbird reported:
Hello Zseano! I found an business logic error that allowed me to edit more than only my message after making an appointment. All we need to do this is use a cookie called
doctorAuthedwhich is basically a base64 encoded JSON object.
Steps to reproduce
- First of all, we have to make an appointment, to do so, visit
/book-appointment.htmland fill in all the required fields.
- Click on Book appointment and copy your AppointmentID.
- Next, simply go to
/yourappointments.phpand paste in your AppointmentID and retrieve your appointment.
- Now normally, you should only be able to modify the extra comments section but we can actually modify anything by just manually appending a cookie to our request. To do so, click on Modify Appointment and intercept the request + send it to Repeater.
- Now, by just making this request, it won't change anything at all.
- But if we were to add the following cookie to our request, then it should change our email-address:
- And it did :D!
I was able to change other details and completely bypass the application logic.
Kind regards, 0xblackbird
fName, lName, email, ...
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.