FirstBlood-#172 — Adding cookie to the request allows us to modify way more data then allowed
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-11, 0xblackbird reported:
Hello Zseano! I found an business logic error that allowed me to edit more than only my message after making an appointment. All we need to do this is use a cookie called
doctorAuthed which is basically a base64 encoded JSON object.
Steps to reproduce
- First of all, we have to make an appointment, to do so, visit
/book-appointment.html and fill in all the required fields.
- Click on Book appointment and copy your AppointmentID.
- Next, simply go to
/yourappointments.php and paste in your AppointmentID and retrieve your appointment.
- Now normally, you should only be able to modify the extra comments section but we can actually modify anything by just manually appending a cookie to our request. To do so, click on Modify Appointment and intercept the request + send it to Repeater.
- Now, by just making this request, it won't change anything at all.
- But if we were to add the following cookie to our request, then it should change our email-address:
- And it did :D!
I was able to change other details and completely bypass the application logic.
This report has been publicly disclosed for everyone to view
fName, lName, email, ...
FirstBlood ID: 7
Vulnerability Type: Application/Business Logic
The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.
Respect Earnt: 1500000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.