FirstBlood-#928It is possible to login as TestDoctor with <BLANK> cookie.
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, newrouge Level 3 reported:

Hey, i found that it is possible to authenticate into doctor dashboard with blank session cookie.

  • While Dumping the databsse through SQL injection in vaccination-manager login panel, Report (https://www.bugbountyhunter.com/hackevents/report?id=686). I saw that there is another testdoctor account with blank session.

  • So it is possible to authenticate into dashboard as TestDoctor with drps=%20 cookie set.

Steps:

  1. Load URL https://e93b0208aa41-newrouge.a.firstbloodhackers.com/drpanel/index.php and capture the request.

  2. Make sure Browser doesn't set any cookie automatically.

  3. Add the Cookie: drps=%20 in request, and forward it.

  4. You will be logged-in as TestDoctor .

impact:

Dashboard exposed due to logic error in session implementation.

P2 High

Endpoint: /drpanel/

Parameter: drps=

Payload: drps=%20


FirstBlood ID: 38
Vulnerability Type: Application/Business Logic

Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.