Mindoktor: Storing sensitive information on cookie post-registration

2016-10-20T12:01:28
ID H1:177018
Type hackerone
Reporter fisher
Modified 1970-01-01T00:00:00

Description

Hello,

I've noticed that upon registering the server sets a cookie named clinic_clinic.PENTEST_FLASH. In it, it stores all the information the user used to register.

Sample request: POST /user/register HTTP/1.1 Host: clinic.pentest.mindoktor.io User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://clinic.pentest.mindoktor.io/user/register Cookie: clinic_clinic.PENTEST_FLASH=; clinic_clinic.PENTEST_SESSION=8ec97c3d12dd00e4d16cc67ef23101947022e5a9-%00csrf_token%3A49xbpGTQPKCP0XBoPRszk3%2BwPAlh5D%2FX3Z3jAgTCB8k%3D%00%00_TS%3Asession%00 DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 485

csrf_token=49xbpGTQPKCP0XBoPRszk3%2BwPAlh5D%2FX3Z3jAgTCB8k%3D&2367ghjfgjh8=&user.Email=BLOB@mail.com&confirmEmail=BLOB@mail.com&user.Password=RYty9m3nQN&confirmPassword=RYty9m3nQN&user.FirstName=Mik&user.LastName=Fisher&user.SSN=00001219-3421&user.Address=Bob+address+Mot+Bla&user.PostalCode=34565&user.City=1234&user.Telephone=%2B351902345666&confirmTelephone=%2B351902345666&user.UserGroupID=1&di.Workplace=&di.LicenseCode=&di.Title=BLOB&di.Signature=Blobl&di.Presentation=BLEBLBELBB

Sample response:

HTTP/1.1 302 Found Content-Type: Location: /user/register?destination= Set-Cookie: clinic_clinic.PENTEST_ERRORS=%00false%3ADet+finns+redan+ett+konto+med+det+angivna+personnumret.%00; Path=/; HttpOnly Set-Cookie: clinic_clinic.PENTEST_FLASH=di.LicenseCode:di.Signature:BloblconfirmPassword:RYty9m3nQNuser.LastName:FisherconfirmTelephone:+351902345666user.City:1234user.PostalCode:34565di.Presentation:BLEBLBELBBuser.Password:RYty9m3nQNuser.Address:Bob+address+Mot+Blauser.Email:BLOB@mail.comuser.UserGroupID:1di.Title:BLOBdi.Workplace:user.SSN:00001219-3421user.FirstName:MikconfirmEmail:BLOB@mail.comuser.Telephone:+3519023456662367ghjfgjh8:csrf_token:49xbpGTQPKCP0XBoPRszk3+wPAlh5D/X3Z3jAgTCB8k=; Path=/; HttpOnly Vary: Cookie Date: Thu, 20 Oct 2016 11:52:53 GMT Content-Length: 0 Via: 1.1 google Content-Type: text/html; charset=UTF-8 Alt-Svc: clear Connection: close

So all that sensitive data is stored on a cookie, including user's password.

A scenario to exploit this vulnerability is, for example, leaveraging a XSS in the main site. Regardless, it's definitely not a good practice to store sensitive data on a cookie.

Cheers, Fisher