FirstBlood-#928 — It is possible to login as TestDoctor with <BLANK> cookie.
This issue was discovered on FirstBlood v2
On 2021-10-30, newrouge Level 3 reported:
Hey, i found that it is possible to authenticate into doctor dashboard with blank session cookie.
-
While Dumping the databsse through SQL injection in vaccination-manager login panel, Report (https://www.bugbountyhunter.com/hackevents/report?id=686). I saw that there is another testdoctor account with blank session.
-
So it is possible to authenticate into dashboard as TestDoctor with drps=%20
cookie set.
Steps:
-
Load URL https://e93b0208aa41-newrouge.a.firstbloodhackers.com/drpanel/index.php
and capture the request.
-
Make sure Browser doesn't set any cookie automatically.
-
Add the Cookie: drps=%20 in request, and forward it.
-
You will be logged-in as TestDoctor .
impact:
Dashboard exposed due to logic error in session implementation.
P2 High
Endpoint: /drpanel/
Parameter: drps=
Payload: drps=%20
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.