FirstBlood-#850 — Application logic error on /drpanel/ leads to ATO of doctors who have never signed in
This issue was discovered on FirstBlood v2
On 2021-10-29, eliee Level 7 reported:
When browsing to
drps=%20;, the webpage will let us access any doctor account that hasn't logged in since they haven't been assigned a session id.
This is an edge case. While the ATO on
TestDoctoris doable this way, normally doctors would be logged in automatically when registering rendering this report invalid unless they are added to the system through some other way.
Steps to reproduce
- Fire up Burp or any other HTTP proxy capable of intercepting requests and set the proxy to intercept
- Ensure you have a fresh instance of Firstblood running
- Browse to
/drpanel/and in the intercepted request, add
Cookie: drps=%20;and send the request through
- The server will happily return the contents of
TestDoctorwho has never logged in
Malicious actors can take over previous unlogged in doctor accounts by simply setting the
Ensure there is a default value in the session column and sanitize
drpsfrom unused chars.
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.
Creator & Administrator
Nice find eliee, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!