FirstBlood-#192 — Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php
This issue was discovered on FirstBlood v1
On 2021-05-11, iffu Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi zseano...
Summary
I've found a privilege escalation bug on the application. It is very simple. We gain administrative privileges by simply changing the admin cookie with the low pivileged account's cookie.
Probably, the process to check if a user is admin or not is done on the client side because I see alerts and other javascript stuff displayed when I check details of other users using low privileged account.
Steps to reproduce
- Surf every endpoint on the /drpanel with the provided admin credentials.
- Turn on the burp while doing this.
- Now, on /drpanel/drapi/query.php and /drpanel/drapi/query.php requests, just change the cookie of admin with that of low privileged user's.
- You will observe that you are getting the response which is not intentional.
- You have bypassed the client side validations and checkings.
Thanks zseano and please let me know if you need any more information regarding this
P1 CRITICAL
Endpoint: /drpanel/drapi/query.php and /drpanel/drapi/query.php
Parameter: ***
Payload: ***
FirstBlood ID: 11
Vulnerability Type: Application/Business Logic
Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information.