BugBountyHunter

Hello Zseano, Hope you are doing well.. While analyzing the session based bugs I and Kinako observed this session invalidation behavior at vaccine-manager portal.

Description:

At /vaccination-manager/portal.php, the Firstblood V2 application is not successfully validating the session. Even after securely logging out, when we visit vaccination-manager/portal.php, it does not redirect to the login page, while the /drpanel portal validates it.

Steps to reproduce the issue :

1. Navigate to the https://c6703f81420b-mrrootsec.a.firstbloodhackers.com/vaccination-manager/portal.php

2. Login with the valid credentials and Click on Logout

3. Close the Current Tab and Open a new Tab and paste the Below URL

   https://c6703f81420b-mrrootsec.a.firstbloodhackers.com/vaccination-manager/portal.php

4. Even after logging out from the vaccine portal,we still see the all details as logged in.

Impact :

1. If attacker have user password and logged in different places, As the sessions is not destroyed, attacker will be still logged in your account even after logging out from the application, cause the session is still active.. Malicious actor can complete access to the account till that session expires!

Remediation / Fix :

1. Destroy the session after logging out from the application
2. it is mandatory to set expiration timeouts for every session, establishing the amount of time a session will remain active.

References :

1. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html

Thanks and Regards

Mrroot & Kinako