FirstBlood-#825 — Vaccination manager doesnt destroy the cookie on logout
This issue was discovered on FirstBlood v2
On 2021-10-29, twsec Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
after logging out from vaccination manager portal it turns out that the cookie wasn't destroyed properly
steps to reproduce:
- first we'll try to navigate to portal.php immediately and find out that we cannot.
this image is before we login and notice that there's no cookie set
- login normally using the admin and the password and we're redirected to portal.php
- now we click on the securely sign out button and we're redirected to home page again
notice now that the cookie value is not present
- navigate back to vaccination-manager/login.php
notice that the cookie is back there, so with that navigate to portal.php
and we're in, but if i delete it manually this behavior doesn't happen.
Impact : imagine a lab or hospital using a shared pc, and if the vaccine manager logs out then a non vaccine manager logs in he'll able to access vaccine manager when he's not supposed to.
Note : this is not a browser behavior because i tried this with the doctor login and it didn't happen.
i'm using edge Version 94.0.992.47
P4 Low
Endpoint: /vaccination-manager/portal.php
Parameter: logout
Payload: the cookie value
FirstBlood ID: 43
Vulnerability Type: Application/Business Logic
The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.