FirstBlood-#928 — It is possible to login as TestDoctor with <BLANK> cookie.
This issue was discovered on FirstBlood v2
On 2021-10-30, newrouge Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey, i found that it is possible to authenticate into doctor dashboard with blank session cookie.
-
While Dumping the databsse through SQL injection in vaccination-manager login panel, Report (https://www.bugbountyhunter.com/hackevents/report?id=686). I saw that there is another testdoctor account with blank session.
-
So it is possible to authenticate into dashboard as TestDoctor with drps=%20 cookie set.
Steps:
-
Load URL https://e93b0208aa41-newrouge.a.firstbloodhackers.com/drpanel/index.php and capture the request.
-
Make sure Browser doesn't set any cookie automatically.
-
Add the Cookie: drps=%20 in request, and forward it.
-
You will be logged-in as TestDoctor .
impact:
Dashboard exposed due to logic error in session implementation.
P2 High
Endpoint: /drpanel/
Parameter: drps=
Payload: drps=%20
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.