FirstBlood-#774 — No session invalidation after logout on vaccine-portal
This issue was discovered on FirstBlood v2
On 2021-10-28, newrouge Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hey i found that vaccine portal doesn't invalidate sessions after logging out from application.
(i am not sure whether it's even a bug or not on event, jut to make sure i am reporting this p5)
-
Navigate to the https:/firstbloodhackers.com/vaccination-manager/login.php
-
Login with the valid credentials , and now your are on portal.php.
-
Click on Logout, close the current tab and open a new tab and paste the Below URL
https://firstbloodhackers.com/vaccination-manager/portal.php
Even after logging out from the vaccine portal previously ,we can still see all the details as logged in user.
Thank you
newrouge
P4 Low
Endpoint: /vaccination-manager/portal.php
Parameter: N/A
Payload: vaccine_manager cookie
FirstBlood ID: 43
Vulnerability Type: Application/Business Logic
The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.