Welcome to FirstBlood!


FirstBlood is BugBountyHunter's first ever live hacking challenge with bounties to be won for valid findings! To celebrate our first event we are also going to donate a bounty to Watsi.org which funds healthcare for people around the world out of respect.

Find information about the full scope & rules of engagement below.

Good luck and HAPPY HACKING!

Your Stats


Oops, looks like you aren't logged in. If you're a member then please login to your account to view this information.


If you are not a member then check out our membership options.


Scope: 'FirstBloodHackers' (version 1.0)


Please note the parts of text below (describing the web app) and information on our web application is satire.

"FirstBood" is a hospital that understands and care for everyone. Yes, everyone.

The world is a beautiful place, and so are you. Humans are so gifted we possess the ability to spread & share love which as a result makes others' feel good. Isn't that amazing?! We embrace love here at FirstBloodHackers and make sure you are looked after and we'll do our best to hack you back on track! Spread a little love today.

HackerCamps: "Fixing HackerBack".
Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.

Book and manage your appointment with us safely and securely. Let us know your allergies so we can do our best to look after you. If you are unable to make your appointment then please make sure to cancel your appointment. We don't like it when people appointments and do not let us know.

Credentials provided

You can login as ADMINISTRATOR with the following credentials: unauthorised to view!. This account has full access to everything on the portal. We are unable to provide you with a non administrator account, however if you are able to figure out how to obtain one then we give you full permission to play around with these.


We are experimenting with a cryptocurrency based on the Ethereum blockchain called RESPECT and we have gifted $RSP to our hackers for their hard work and time spent on FirstBlood. This means even if a bug was closed as a dupe, they are still rewarded in RESPECT for submitting a valid bug. RESPECT is experimental at the moment but we have a lot of plans for the future.

Browse the various disclosed reports and see who's received some RESPECT for their epic findings

Report Title Severity Hunter
FirstBlood runs on http Informative zseano Level 1
PII leak via /drpanel/drapi/qp.php?name=sanjay CRITICAL codersanjay Level 3
Viewing/Cancelling anyone's appointment High th4nu0x0 Level 2
IDOR on /api/qa.php High jpdev Level 3
The patient email can be changed even though the application UI mentioned that this is not allowed. High bobbylin Level 4
Open Url redirection Low d20s84 Level 3
Editing other users appointments with IDOR High pichik Level 4
Stored XSS on High smhtahsin33 Level 3
Users information disclosure via /attendees/event.php endpoint CRITICAL panya Level 5
Enumerating PII. CRITICAL mava Level 2
Newly created Doctor account was able to search for patient info via the query api CRITICAL bobbylin Level 4
OpenRedirect on Secure Logout Low jonlaing Level 2
Invite Code leaking on Reddit High mava Level 2
/attendees/event.php authoriation bypass using X-SITE-REQ: permitted CRITICAL jpdev Level 3
Multiple Register on same Username High mava Level 2
Open URL Redirect on /drpanel/logout.php Low rintox Level 3
Doctor Registration code misconfiguration High vermsec Level 4
Leakage of P2 information of users who have taken appointment High iffu Level 5
Open redirect on the logout.php endpoint [COLLAB] Low holybugx Level 5
[IDOR] Modifying anyone's Appointment information High th4nu0x0 Level 2
New Account Patient Information restriction bypass CRITICAL vermsec Level 4
account takeover via re-register with the same username High parisk Level 3
Stored XSS at http://firstbloodhackers.com:49229/api/ba.php (POST) and aptid enumeration at /api/qa.php can be used to steal cookie High 0xconft Level 5
Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB] CRITICAL holybugx Level 5
Stored XSS on /drpanel/drapi/query.php?aptid=<ID> High rintox Level 3
aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data High 0xconft Level 5
Open redirect on logout Low 0xSaltyHash Level 2
Modification of the appointement's data - Collaboration with Jomar High serizao Level 2
doctorAuthed cookie given at /register.php can be used to modify patient email at Appointment Form /manageappointment.php High 0xconft Level 5
Leak arbitrary users appointment details Manage/delete them High ibruteforce Level 4
Info leak at http://firstbloodhackers.com:49280/attendees/event.php?q=560720 CRITICAL 0xconft Level 5
Invite Code Leaked on Reddit leading to broken Authorisation High jpdev Level 3
I can see & cancel other patients appointments High thefawsec Level 2
IDOR in aptid which grants access to every appointment High pichik Level 4
Cancel arbitrary reports through 'aptid' parameter High ibruteforce Level 4
PII disclosure using GET request CRITICAL thefawsec Level 2
[COLLAB] 1 Click XSS can lead to Admin Account Takeover CRITICAL 0xblackbird Level 3
A User can modify the Email of their appointment despite being disabled for safeguarding reasons High xnl-h4ck3r Level 4
Stored XSS via canceled appointment message CRITICAL jtcsec Level 4
Leaking PII data of users who have appointments using stored XSS and IDOR High xnl-h4ck3r Level 4
Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php Low 0xconft Level 5
XSS using ref Parameter Medium mava Level 2
Registring to the application as a doctor due to the leaked invitation code [COLLAB] High holybugx Level 5
Invite codes do not expire after use High jpdev Level 3
New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint CRITICAL holybugx Level 5
Info leak on reddit leads to create acc with admin privileges High pichik Level 4
An new user account can bypass security and view all patient data High xnl-h4ck3r Level 4
An new user account can bypass security and view all appointment data CRITICAL xnl-h4ck3r Level 4
Information Leak leads to full backend access High jonlaing Level 2
Account takeover of a doctor account is possible due to flawed logic in the registration process High bobbylin Level 4
IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php can be used to query patient data without doctor account CRITICAL 0xconft Level 5
Reflective XSS at http://firstbloodhackers.com:49369/register.php Medium 0xconft Level 5
Un-Authorized access to critical users PII through the vulnerable /attendees/event.php endpoint CRITICAL holybugx Level 5
Info leak for events and attendees including PII data CRITICAL xnl-h4ck3r Level 4
POST Based Reflected XSS on Login Medium smhtahsin33 Level 3
Stored XSS on /drpanel/drapi/query.php?aptid High iffu Level 5
Reflected XSS via Javascript Scheme Medium smhtahsin33 Level 3
Reflected XSS Medium smhtahsin33 Level 3
IDOR - Restricted doctor can view all the details of the patient such as contact details etc. CRITICAL ibruteforce Level 4
Open Redirect /drpanel/logout.php Low iffu Level 5
IDOR on ma.php High jpdev Level 3
IDOR - Restricted user can view the details of hospital user. CRITICAL ibruteforce Level 4
IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel High jpdev Level 3
It is possible to view patient's data as a new doctor CRITICAL 0xblackbird Level 3
Reflective XSS at http://firstbloodhackers.com:49421/login.php can be used to steal cookie Medium 0xconft Level 5
Stored XSS through the appointments cancelation message leading to account takeover CRITICAL holybugx Level 5
Open redirect on /drpanel/logout.php Low 0xblackbird Level 3
Leaked invite ID allows anyone to register for an account. High 0xblackbird Level 3
Potentially takeover other doctors account? High ibruteforce Level 4
Creating a new user with same username overrides old password which can lead to account takeover High 0xblackbird Level 3
Invitation code leaked on reddit High codersanjay Level 3
Doctor Invitation Code doesn't expire after first uage High 0xSaltyHash Level 2
IDOR on newly registered doctor CRITICAL codersanjay Level 3
IDOR on /drpanel/drapi/qp.php endpoint CRITICAL codersanjay Level 3
Patient's can modify their information without authorization on "/manageappointment.php" endpoint High holybugx Level 5
Leak PII through the events API CRITICAL jomar Level 4
New Doctors can use the api to get patients data CRITICAL 0xSaltyHash Level 2
Reflective XSS through the vulnerable ref header on /register.php endpoint Medium holybugx Level 5
Reflected xss on login.php Medium 0xblackbird Level 3
Event attendees leaked CRITICAL 0xSaltyHash Level 2
Reflected XSS on register.php Medium 0xblackbird Level 3
Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter Medium holybugx Level 5
Reflected xss on register.php Medium 0xblackbird Level 3
Unauthenticated access to PII data on /drpanel/drapi/qp.php CRITICAL 0xblackbird Level 3
Hackerback event attendees information disclosed through /attendees/event.php CRITICAL 0xblackbird Level 3
Can know who are attending an HackerBack event CRITICAL codersanjay Level 3
P2 information disclosure of the users attending the events CRITICAL iffu Level 5
PII Creditcard information leaking via Event CRITICAL mava Level 2
Creating Admin account using a leaked token on r/BugBountyHunter and using restricted API calls . High th4nu0x0 Level 2
Found a way to register as non-admin user High iffu Level 5
Stored XSS payload allowed in names when making an appointment can leak admin cookie High xnl-h4ck3r Level 4
Adding cookie to the request allows us to modify way more data then allowed High 0xblackbird Level 3
PII disclosure - I can see email,contact No of patients who is/has attending/attended the hackerback event CRITICAL thefawsec Level 2
[Two Tales of Info leak] Site setting can be accessed and leaked a "x-site-req" header. This header can be used to get HackerBack event attendees info. CRITICAL bobbylin Level 4
Emails and comments of other users can be changed using IDOR on aptID High holybugx Level 5
New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint CRITICAL holybugx Level 5
New doctors are able to view patient's private data through /drpanel/drapi/qp.php CRITICAL 0xblackbird Level 3
GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR High 0xblackbird Level 3
Authorisation vulnerabilities with cookies High xnl-h4ck3r Level 4
Reflected XSS on using the hidden "goto" parameter leads to Admin Account Takeover High holybugx Level 5
Information Disclosure allowing an attacker to register as a doctor High c3phas Level 4
Stored Cross site scripting CRITICAL d20s84 Level 3
Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php CRITICAL iffu Level 5
Application Logic allowing access to unauthorised information belonging to patients CRITICAL c3phas Level 4
IDOR found on /api/ma.php High rintox Level 3
Stored XSS on admin Side - Collaboration with Jomar High serizao Level 2
Application Logic Issue allowing a doctor who is not authorised to view patients information on the dashboard CRITICAL c3phas Level 4
script inclusion leads to phishing,ato,monitoring of clicks of the user [sxss] and intresting vulnerablity High prob_hakz Level 2
Stored XSS on /drpanel/drapi/query.php High 0xblackbird Level 3
sxss`leads to manything entire site manipulation CRITICAL prob_hakz Level 2
Info leak that leads to non admin login High d20s84 Level 3
Stored XSS on /drpanel/drapi/query.php endpoint leading to Admin Account Takeover High holybugx Level 5
[COLLAB] Stored XSS on message param through appointment annulation allow admin ATO CRITICAL jomar Level 4
rxss leads to ato accountakeover Medium prob_hakz Level 2
Reflective XSS on Register page leading to leak of PII data Medium xnl-h4ck3r Level 4
Reflected xss on login.php leads to account takeover Medium 0xblackbird Level 3
Reflective XSS on Login page (requiring interaction), leading to leak of PII data Medium xnl-h4ck3r Level 4
Can change email when modifying an appointment High rintox Level 3
Account Creation with same Username overrides the one made before. High smhtahsin33 Level 3
IDOR to view Patient Information from a Lower Privileged User CRITICAL smhtahsin33 Level 3
IDOR in Search Patient Functionality Leads to PII Leakage CRITICAL smhtahsin33 Level 3
DOM XSS Medium smhtahsin33 Level 3
Patient's information can be obtained from a non admin account CRITICAL d20s84 Level 3
Recently registered doctor account can still query /drpanel/drapi/qp.php & /drpanel/drapi/query.php CRITICAL 0xconft Level 5
Docauth cookie used to amend email - Additionally chained with Rpt 127 and 129 - This is the full report. High jpdev Level 3
Stored XSS on Admn API endpoint for querying Appointment High xnl-h4ck3r Level 4
Event is leaking attendees Personal information. CRITICAL th4nu0x0 Level 2
a Doctor can cancel patient's appointments High twsec Level 2
Open Redirect via logout ref parameter Low codersanjay Level 3
Stored XSS on /manageappointment.php using the message parameter leading to account takeover High holybugx Level 5
Attacker can register a user name that has already been registered High xnl-h4ck3r Level 4
Stored XSS via malicious appointment message leads to ATO High jtcsec Level 4
Stored XSS on yourappointments.php can lead to account takeover High 0xblackbird Level 3
Stored XSS on cancelled.php endpoint High codersanjay Level 3
idor High prob_hakz Level 2
Reflected XSS on /login.php using ref parameter Medium iffu Level 5
CWE-601 Open Redirect on GET /drpanel/logout.php via ref param Low jpdev Level 3
[COLLAB] Query appointment with simple ID / Bypass front end restriction High jomar Level 4
Open Redirect Vulnerability Observed in the Firstbloodhacker.com Low netmous3 Level 4
New Doctor Registration Invitation Code Leaked to the Public High netmous3 Level 4
Reflected XSS on login Page via ref paramater Medium codersanjay Level 3
Critical PII of Patients Leaked to the Public CRITICAL netmous3 Level 4
Reflected XSS via ref parameter on login Medium vermsec Level 4
Reflected XSS on register page Medium pichik Level 4
Email id can be modified for a patient High d20s84 Level 3
PII Data of the Fistbloodhacker.com All patient's were Publicly Accessible High netmous3 Level 4
Reflected XSS on /login.php using the GET paramter 'goto' Medium iffu Level 5
Open Redirect on /login.php via goto body parameter Low iffu Level 5
register as non admin doctor High twsec Level 2
Open redirect in logout function Low YouGina Level 2
a non admin doctor can still view patient information using the api High twsec Level 2
Hackerback Event Details Along with Attendee's Personal Information Exposed to Public CRITICAL netmous3 Level 4
Stored XSS + stealing cookies through XSS hunter High vigilante Level 3
Cross Site Scripting vulnerability in client firstname/lastname High YouGina Level 2
Stored XSS on query.php via lname & fname parameter High vermsec Level 4
Researcher 'FirstBlood' Bugs Hacking Time RESPECT
holybugx Level 5 1614 disclosed 0 days, 16 hours, 50 minutes and 4 seconds 32.5M
jtcsec Level 4 152 disclosed 1 days, 20 hours, 46 minutes and 59 seconds 30.0M
0xblackbird Level 3 1516 disclosed 0 days, 5 hours, 15 minutes and 37 seconds 25.5M
#4. jomar Level 4 93 disclosed 0 days, 21 hours, 23 minutes and 48 seconds 17.5M
#5. xnl-h4ck3r Level 4 1111 disclosed 2 days, 5 hours, 58 minutes and 59 seconds 17.5M
#6. ibruteforce Level 4 105 disclosed 0 days, 22 hours, 59 minutes and 17 seconds 16.0M
#7. codersanjay Level 3 108 disclosed 1 days, 5 hours, 27 minutes and 22 seconds 15.5M
#8. serizao Level 2 82 disclosed 0 days, 13 hours, 50 minutes and 1 seconds 14.5M
#9. 0xconft Level 5 99 disclosed 0 days, 20 hours, 31 minutes and 41 seconds 14.5M
#10. prob_hakz Level 2 104 disclosed 2 days, 3 hours, 42 minutes and 18 seconds 13.0M
#11. iffu Level 5 99 disclosed 2 days, 17 hours, 54 minutes and 56 seconds 12.5M
#12. smhtahsin33 Level 3 98 disclosed 0 days, 1 hours, 2 minutes and 51 seconds 12.0M
#13. jpdev Level 3 78 disclosed 0 days, 22 hours, 23 minutes and 55 seconds 12.0M
#14. pichik Level 4 94 disclosed 1 days, 10 hours, 42 minutes and 58 seconds 12.0M
#15. th4nu0x0 Level 2 54 disclosed 0 days, 4 hours, 22 minutes and 23 seconds 9.5M
#16. d20s84 Level 3 65 disclosed 0 days, 16 hours, 12 minutes and 31 seconds 9.0M
#17. panya Level 5 71 disclosed 0 days, 4 hours, 1 minutes and 21 seconds 9.0M
#18. shivam18u Level 3 60 disclosed 1 days, 10 hours, 11 minutes and 29 seconds 9.0M
#19. vigilante Level 3 61 disclosed 1 days, 7 hours, 42 minutes and 35 seconds 8.5M
#20. mava Level 2 55 disclosed 0 days, 11 hours, 58 minutes and 56 seconds 7.5M
#21. vermsec Level 4 54 disclosed 0 days, 13 hours, 32 minutes and 7 seconds 7.5M
#22. bobbylin Level 4 44 disclosed 0 days, 21 hours, 6 minutes and 53 seconds 6.0M
#23. sh3llf1r3 Level 3 50 disclosed 0 days, 6 hours, 44 minutes and 54 seconds 6.0M
#24. rintox Level 3 44 disclosed 0 days, 7 hours, 46 minutes and 30 seconds 6.0M
#25. netmous3 Level 4 55 disclosed 2 days, 4 hours, 56 minutes and 54 seconds 6.0M
#26. parisk Level 3 31 disclosed 0 days, 13 hours, 53 minutes and 5 seconds 5.5M
#27. twsec Level 2 33 disclosed 0 days, 10 hours, 57 minutes and 15 seconds 5.5M
#28. yashamin Level 2 40 disclosed 0 days, 10 hours, 32 minutes and 8 seconds 4.5M
#29. 0xSaltyHash Level 2 44 disclosed 0 days, 15 hours, 12 minutes and 47 seconds 4.5M
#30. thefawsec Level 2 33 disclosed 0 days, 10 hours, 25 minutes and 45 seconds 4.5M
#31. c3phas Level 4 33 disclosed 0 days, 12 hours, 18 minutes and 3 seconds 4.5M
#32. sumzer0 Level 2 30 disclosed 0 days, 15 hours, 35 minutes and 1 seconds 4.0M
#33. jonlaing Level 2 32 disclosed 1 days, 9 hours, 19 minutes and 42 seconds 3.5M
#34. humboldtux Level 3 20 disclosed 0 days, 4 hours, 15 minutes and 35 seconds 3.5M
#35. ribersec Level 2 20 disclosed 0 days, 9 hours, 7 minutes and 50 seconds 3.0M
#36. egryan1 Level 2 30 disclosed 0 days, 17 hours, 1 minutes and 45 seconds 3.0M
#37. YouGina Level 2 22 disclosed 0 days, 1 hours, 45 minutes and 18 seconds 2.5M
#38. xgxtr Level 2 20 disclosed 0 days, 3 hours, 1 minutes and 51 seconds 2.0M
#39. iamvictorteh Level 4 10 disclosed 0 days, 12 hours, 50 minutes and 36 seconds 1.0M
#40. sehno Level 2 10 disclosed 0 days, 1 hours, 6 minutes and 21 seconds 1.0M
#41. flag_c0 Level 3 10 disclosed 0 days, 7 hours, 29 minutes and 20 seconds 500K
#42. tyrox Level 2 10 disclosed 0 days, 10 hours, 15 minutes and 35 seconds 500K

FirstBlood Bugs


FirstBlood ID Description Type Found By
1 There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed. Open Redirect 36
2 The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug. Reflective XSS 14
3 The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed. Reflective XSS 10
4 The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes. Reflective XSS 7
5 The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted. IDOR 14
6 The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted. IDOR 16
7 The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment. Application/Business Logic 17
8 When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors Stored XSS 12
9 When cancelling an appointment, an attacker can add a malicious XSS payload that will execute on manageappointment. Any user (non authed) can view this and will be affected. Stored XSS 4
10 When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name Stored XSS 25
11 Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information. Application/Business Logic 31
12 If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error Auth issues 18
13 /attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees. Info leak 26
14 The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting Reflective XSS 3
15 A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use. Auth issues 26
16 The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page" Reflective XSS 5
17 Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers Auth issues 9