FirstBlood-#757[COLLAB ] Session Invalidation at Vaccine Management Portal
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-28, mrrootsec Level 2 reported:

Hello Zseano, Hope you are doing well.. While analyzing the session based bugs I and Kinako observed this session invalidation behavior at vaccine-manager portal.

Description:

At /vaccination-manager/portal.php, the Firstblood V2 application is not successfully validating the session. Even after securely logging out, when we visit vaccination-manager/portal.php, it does not redirect to the login page, while the /drpanel portal validates it.

Steps to reproduce the issue :

  1. Navigate to the https://c6703f81420b-mrrootsec.a.firstbloodhackers.com/vaccination-manager/portal.php

  2. Login with the valid credentials and Click on Logout

  3. Close the Current Tab and Open a new Tab and paste the Below URL

    https://c6703f81420b-mrrootsec.a.firstbloodhackers.com/vaccination-manager/portal.php

  4. Even after logging out from the vaccine portal,we still see the all details as logged in.

Impact :

  1. If attacker have user password and logged in different places, As the sessions is not destroyed, attacker will be still logged in your account even after logging out from the application, cause the session is still active.. Malicious actor can complete access to the account till that session expires!

Remediation / Fix :

  1. Destroy the session after logging out from the application
  2. it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active.

References :

  1. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Thanks and Regards

Mrroot & Kinako

P4 Low

Endpoint: /vaccination-manager/login.php

Parameter: NA

Payload: NA


FirstBlood ID: 43
Vulnerability Type: Application/Business Logic

The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.