FirstBlood-#840 — All user information is leaked due to unexpired cookies
This issue was discovered on FirstBlood v2
On 2021-10-29, axe Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Steps
-
using the administrator user, click test. and capture the packet with BURP
-
Get /drpanel/drapi/query.php?aptid=56911356 path and reservation information
-
-
Record the current administrator's cookie: drps=39c1032de7c76a3b74f6d7e40
-
Log out of the admin user and log in to the regular user Jam. click test and find that you need admin privileges to access
-
-
Note: After logging out of your account, the cookie should expire and cannot be reused!!!
-
Using a normal user, Jam, accessing the /drpanel/drapi/query.php?aptid=56911356 path, I found that access failed.
-
-
Replace your own cookie with the administrator's cookie. drps=f733b8e5b69462f6a72723515 -> drps=39c1032de7c76a3b74f6d7e40 -> Access successful!!!
-
Vulnerability Exploitation
-
Blast the last three digits of the aptid parameter value 56911356. All users' sensitive information can be obtained
Impact
- Because the cookie is still valid after exit, the attacker can reuse the cookie, for example, to access sensitive information with this cookie.
Suggestions for fixing
-
Cookies should be set for a valid period.
-
Cookies should expire immediately after the user logs out and should no longer be used!!!
P3 Medium
Endpoint: /drpanel/drapi/query.php
Parameter: aptid
Payload: 56911356
FirstBlood ID: 43
Vulnerability Type: Application/Business Logic
The session cookie is not invalidated in the database and thus old session tokens are still valid until a new login is made and a new session token is set.