FirstBlood-#43Doctor Registration code misconfiguration



On 2021-05-09, vermsec reported:

Hello team, The inviteCode parameter lacks proper validation, and allows us to register a user with other user's invite code which contradicts to what the application mentions about how the doc accounts are already created. This also allows us to use the same code to register multiple accounts.

Description

Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. These flaws are generally the result of failing to anticipate unusual application states that may occur and, consequently, failing to handle them safely.

Impact

Using this the attacker can register as many accounts as he wants.

Proof of Concept

Steps to Reproduce

  1. A public post on reddit leaks an invite code for our application. link here - https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/

  2. This code allows us to register a user, but the issue here is that the same code can be reused to register as many users as we want. As we can see in the following screenshots we are registering two users with the same invite code.

Remediation

Apply proper validation so that an Invite Code cannot be re-used.

P2 High

Endpoint: /register.php

Parameter: inviteCode

Payload: F16CA47250E445888824A9E63AE445CE


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.

Report Feedback

@zseano

Creator & Administrator


Nice find vermsec and great report. Even though you weren't the first to find this, i'm awarding you a bounty at my own discretion. Great work again mate!


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.