Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneFisherH1:177018
HistoryOct 20, 2016 - 12:01 p.m.

Mindoktor: Storing sensitive information on cookie post-registration

2016-10-2012:01:28
fisher
hackerone.com
$300
24
JSON

Hello,

I’ve noticed that upon registering the server sets a cookie named clinic_clinic.PENTEST_FLASH. In it, it stores all the information the user used to register.

Sample request:
POST /user/register HTTP/1.1
Host: clinic.pentest.mindoktor.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://clinic.pentest.mindoktor.io/user/register
Cookie: clinic_clinic.PENTEST_FLASH=; clinic_clinic.PENTEST_SESSION=8ec97c3d12dd00e4d16cc67ef23101947022e5a9-%00csrf_token%3A49xbpGTQPKCP0XBoPRszk3%2BwPAlh5D%2FX3Z3jAgTCB8k%3D%00%00_TS%3Asession%00
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 485

csrf_token=49xbpGTQPKCP0XBoPRszk3%2BwPAlh5D%2FX3Z3jAgTCB8k%3D&2367ghjfgjh8=&[email protected]&[email protected]&user.Password=RYty9m3nQN&confirmPassword=RYty9m3nQN&user.FirstName=Mik&user.LastName=Fisher&user.SSN=00001219-3421&user.Address=Bob+address+Mot+Bla&user.PostalCode=34565&user.City=1234&user.Telephone=%2B351902345666&confirmTelephone=%2B351902345666&user.UserGroupID=1&di.Workplace=&di.LicenseCode=&di.Title=BLOB&di.Signature=Blobl&di.Presentation=BLEBLBELBB

Sample response:

HTTP/1.1 302 Found
Content-Type:
Location: /user/register?destination=
Set-Cookie: clinic_clinic.PENTEST_ERRORS=%00false%3ADet+finns+redan+ett+konto+med+det+angivna+personnumret.%00; Path=/; HttpOnly
Set-Cookie: clinic_clinic.PENTEST_FLASH=di.LicenseCode:di.Signature:BloblconfirmPassword:RYty9m3nQNuser.LastName:FisherconfirmTelephone:+351902345666user.City:1234user.PostalCode:34565di.Presentation:BLEBLBELBBuser.Password:RYty9m3nQNuser.Address:Bob+address+Mot+Blauser.Email:[email protected]:1di.Title:BLOBdi.Workplace:user.SSN:00001219-3421user.FirstName:MikconfirmEmail:[email protected]:+3519023456662367ghjfgjh8:csrf_token:49xbpGTQPKCP0XBoPRszk3+wPAlh5D/X3Z3jAgTCB8k=; Path=/; HttpOnly
Vary: Cookie
Date: Thu, 20 Oct 2016 11:52:53 GMT
Content-Length: 0
Via: 1.1 google
Content-Type: text/html; charset=UTF-8
Alt-Svc: clear
Connection: close

So all that sensitive data is stored on a cookie, including user’s password.

A scenario to exploit this vulnerability is, for example, leaveraging a XSS in the main site. Regardless, it’s definitely not a good practice to store sensitive data on a cookie.

Cheers,
Fisher

JSON