FirstBlood-#172Adding cookie to the request allows us to modify way more data then allowed



On 2021-05-11, 0xblackbird reported:

Hello Zseano! I found an business logic error that allowed me to edit more than only my message after making an appointment. All we need to do this is use a cookie called doctorAuthed which is basically a base64 encoded JSON object.

Steps to reproduce

  • First of all, we have to make an appointment, to do so, visit /book-appointment.html and fill in all the required fields.

  • Click on Book appointment and copy your AppointmentID.
  • Next, simply go to /yourappointments.php and paste in your AppointmentID and retrieve your appointment.

  • Now normally, you should only be able to modify the extra comments section but we can actually modify anything by just manually appending a cookie to our request. To do so, click on Modify Appointment and intercept the request + send it to Repeater.

  • Now, by just making this request, it won't change anything at all.

  • But if we were to add the following cookie to our request, then it should change our email-address: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

  • And it did :D!

Impact

I was able to change other details and completely bypass the application logic.

Kind regards, 0xblackbird

P2 High

Endpoint: /api/ma.php

Parameter: fName, lName, email, ...

Payload: N/A


FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.