FirstBlood-#851 — [COLLAB with isitbug] Account takeover of TestDoctor with drps=%20 cookie
This issue was discovered on FirstBlood v2
On 2021-10-29, shreky Level 5 reported:
Summary
From the RCE,taking a look at the database,the user TestDoctor has blank value for the session column.With that in mind,if we access /drpanel/
with the cookie drps=%20;
set,we get access to the panel as TestDoctor.
Steps to reproduce
- Go to
/drpanel/
and intercept the request
- Set the cookie
drps=%20;
and send the request
- You have logged in as TestDoctor
Impact
Since TestDoctor has no entry for the session column in the database,an attacker can use the drps
cookie with a URL encoded space as its value and get access to /drpanel/*
.
P2 High
Endpoint: /drpanel/
Parameter: drps cookie
Payload: %20;
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.
Creator & Administrator
Nice find, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!