FirstBlood-#851[COLLAB with isitbug] Account takeover of TestDoctor with drps=%20 cookie
This issue was discovered on FirstBlood v2

On 2021-10-29, shreky Level 5 reported:


From the RCE,taking a look at the database,the user TestDoctor has blank value for the session column.With that in mind,if we access /drpanel/ with the cookie drps=%20; set,we get access to the panel as TestDoctor.

Steps to reproduce

  1. Go to /drpanel/ and intercept the request
  2. Set the cookie drps=%20; and send the request
  3. You have logged in as TestDoctor


Since TestDoctor has no entry for the session column in the database,an attacker can use the drps cookie with a URL encoded space as its value and get access to /drpanel/*.

P2 High

Endpoint: /drpanel/

Parameter: drps cookie

Payload: %20;

FirstBlood ID: 38
Vulnerability Type: Application/Business Logic

Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.

Report Feedback


Creator & Administrator

Nice find, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!