FirstBlood-#851[COLLAB with isitbug] Account takeover of TestDoctor with drps=%20 cookie
This issue was discovered on FirstBlood v2



On 2021-10-29, shreky Level 5 reported:

Summary

From the RCE,taking a look at the database,the user TestDoctor has blank value for the session column.With that in mind,if we access /drpanel/ with the cookie drps=%20; set,we get access to the panel as TestDoctor.

Steps to reproduce

  1. Go to /drpanel/ and intercept the request
  2. Set the cookie drps=%20; and send the request
  3. You have logged in as TestDoctor

Impact

Since TestDoctor has no entry for the session column in the database,an attacker can use the drps cookie with a URL encoded space as its value and get access to /drpanel/*.

P2 High

Endpoint: /drpanel/

Parameter: drps cookie

Payload: %20;


FirstBlood ID: 38
Vulnerability Type: Application/Business Logic

Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.

Report Feedback

@zseano

Creator & Administrator


Nice find, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!