FirstBlood-#851 — [COLLAB with isitbug] Account takeover of TestDoctor with drps=%20 cookie
This issue was discovered on FirstBlood v2
On 2021-10-29, shreky Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
From the RCE,taking a look at the database,the user TestDoctor has blank value for the session column.With that in mind,if we access /drpanel/ with the cookie drps=%20; set,we get access to the panel as TestDoctor.
Steps to reproduce
- Go to
/drpanel/ and intercept the request
- Set the cookie
drps=%20; and send the request
- You have logged in as TestDoctor
Impact
Since TestDoctor has no entry for the session column in the database,an attacker can use the drps cookie with a URL encoded space as its value and get access to /drpanel/*.
P2 High
Endpoint: /drpanel/
Parameter: drps cookie
Payload: %20;
FirstBlood ID: 38
Vulnerability Type: Application/Business Logic
Unintended/not working correctly: On first start, if a doctor account doesn't have an active session (no logins), then it is possible to achieve account takeover by providing a blank drps= cookie in a request to /drpanel/. As this is an isolated/edge case it won't count towards a unique finding.
Report Feedback
Creator & Administrator
Nice find, this isn't actually intended but after reviewing the code you are absolutely correct and this is a valid issue. Nice work!