FirstBlood-#850Application logic error on /drpanel/ leads to ATO of doctors who have never signed in
This issue was discovered on FirstBlood v2

On 2021-10-29, eliee Level 7 reported:

Summary

When browsing to /drpanel/ with cookie drps=%20;, the webpage will let us access any doctor account that hasn't logged in since they haven't been assigned a session id.

Note

This is an edge case. While the ATO on TestDoctor is doable this way, normally doctors would be logged in automatically when registering rendering this report invalid unless they are added to the system through some other way.

Steps to reproduce

  1. Fire up Burp or any other HTTP proxy capable of intercepting requests and set the proxy to intercept
  2. Ensure you have a fresh instance of Firstblood running
  3. Browse to /drpanel/ and in the intercepted request, add Cookie: drps=%20; and send the request through
  4. The server will happily return the contents of /drpanel for user TestDoctor who has never logged in

Screenshot

Impact

Malicious actors can take over previous unlogged in doctor accounts by simply setting the drps cookie to %20.

Remediation

Ensure there is a default value in the session column and sanitize drps from unused chars.

P2 High

Endpoint: /drpanel/

Parameter: drps

Payload: %20

FirstBlood ID: 38
Vulnerability Type: Application/Business Logic

Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.

Report Feedback

@zseano

Creator & Administrator

Nice find eliee, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!