FirstBlood-#928 — It is possible to login as TestDoctor with <BLANK> cookie.
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, newrouge Level 3 reported:
Hey, i found that it is possible to authenticate into doctor dashboard with blank session cookie.
While Dumping the databsse through SQL injection in vaccination-manager login panel, Report (https://www.bugbountyhunter.com/hackevents/report?id=686). I saw that there is another testdoctor account with blank session.
So it is possible to authenticate into dashboard as TestDoctor with
https://e93b0208aa41-newrouge.a.firstbloodhackers.com/drpanel/index.phpand capture the request.
Make sure Browser doesn't set any cookie automatically.
Add the Cookie: drps=%20 in request, and forward it.
You will be logged-in as TestDoctor .
Dashboard exposed due to logic error in session implementation.
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.