Welcome to FirstBlood!


FirstBlood is BugBountyHunter's first ever live hacking challenge with bounties to be won for valid findings! To celebrate our first event we are also going to donate a bounty to Watsi.org which funds healthcare for people around the world out of respect.

Find information about the full scope & rules of engagement below.

Good luck and HAPPY HACKING!

Your Stats


Oops, looks like you aren't logged in. If you're a member then please login to your account to view this information.


If you are not a member then check out our membership options.


Scope: 'FirstBloodHackers' (version 1.0)


Please note the parts of text below (describing the web app) and information on our web application is satire.

"FirstBood" is a hospital that understands and care for everyone. Yes, everyone.

The world is a beautiful place, and so are you. Humans are so gifted we possess the ability to spread & share love which as a result makes others' feel good. Isn't that amazing?! We embrace love here at FirstBloodHackers and make sure you are looked after and we'll do our best to hack you back on track! Spread a little love today.

HackerCamps: "Fixing HackerBack".
Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.

Book and manage your appointment with us safely and securely. Let us know your allergies so we can do our best to look after you. If you are unable to make your appointment then please make sure to cancel your appointment. We don't like it when people appointments and do not let us know.

Credentials provided

You can login as ADMINISTRATOR with the following credentials: unauthorised to view!. This account has full access to everything on the portal. We are unable to provide you with a non administrator account, however if you are able to figure out how to obtain one then we give you full permission to play around with these.


We are experimenting with a cryptocurrency based on the Ethereum blockchain called RESPECT and we have gifted $RSP to our hackers for their hard work and time spent on FirstBlood. This means even if a bug was closed as a dupe, they are still rewarded in RESPECT for submitting a valid bug. RESPECT is experimental at the moment but we have a lot of plans for the future.

Browse the various disclosed reports and see who's received some RESPECT for their epic findings

Report Title Severity Hunter
FirstBlood runs on http Informative zseano
PII leak via /drpanel/drapi/qp.php?name=sanjay CRITICAL codersanjay
Viewing/Cancelling anyone's appointment High th4nu0x0
IDOR on /api/qa.php High jpdev
The patient email can be changed even though the application UI mentioned that this is not allowed. High bobbylin
Open Url redirection Low d20s84
Stored XSS on High smhtahsin33
Users information disclosure via /attendees/event.php endpoint CRITICAL panya
Enumerating PII. CRITICAL mava
Newly created Doctor account was able to search for patient info via the query api CRITICAL bobbylin
OpenRedirect on Secure Logout Low jonlaing
Invite Code leaking on Reddit High mava
/attendees/event.php authoriation bypass using X-SITE-REQ: permitted CRITICAL jpdev
Multiple Register on same Username High mava
Open URL Redirect on /drpanel/logout.php Low rintox
Doctor Registration code misconfiguration High vermsec
Leakage of P2 information of users who have taken appointment High iffu
Open redirect on the logout.php endpoint [COLLAB] Low holybugx
[IDOR] Modifying anyone's Appointment information High th4nu0x0
New Account Patient Information restriction bypass CRITICAL vermsec
account takeover via re-register with the same username High parisk
Stored XSS at http://firstbloodhackers.com:49229/api/ba.php (POST) and aptid enumeration at /api/qa.php can be used to steal cookie High 0xconft
Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB] CRITICAL holybugx
Stored XSS on /drpanel/drapi/query.php?aptid=<ID> High rintox
aptid enumeration via http://firstbloodhackers.com:49276/api/qa.php can be used to leak Appointment data High 0xconft
Open redirect on logout Low 0xn00b
Modification of the appointement's data - Collaboration with Jomar High serizao
doctorAuthed cookie given at /register.php can be used to modify patient email at Appointment Form /manageappointment.php High 0xconft
Leak arbitrary users appointment details Manage/delete them High ibruteforce
Info leak at http://firstbloodhackers.com:49280/attendees/event.php?q=560720 CRITICAL 0xconft
Invite Code Leaked on Reddit leading to broken Authorisation High jpdev
I can see & cancel other patients appointments High thefawsec
IDOR in aptid which grants access to every appointment High pichik
Cancel arbitrary reports through 'aptid' parameter High ibruteforce
PII disclosure using GET request CRITICAL thefawsec
[COLLAB] 1 Click XSS can lead to Admin Account Takeover CRITICAL 0xblackbird
A User can modify the Email of their appointment despite being disabled for safeguarding reasons High xnl-h4ck3r
Stored XSS via canceled appointment message CRITICAL jtcsec
Leaking PII data of users who have appointments using stored XSS and IDOR High xnl-h4ck3r
Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php Low 0xconft
XSS using ref Parameter Medium mava
Registring to the application as a doctor due to the leaked invitation code [COLLAB] High holybugx
Invite codes do not expire after use High jpdev
New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint CRITICAL holybugx
Info leak on reddit leads to create acc with admin privileges High pichik
An new user account can bypass security and view all patient data High xnl-h4ck3r
An new user account can bypass security and view all appointment data CRITICAL xnl-h4ck3r
Information Leak leads to full backend access High jonlaing
Account takeover of a doctor account is possible due to flawed logic in the registration process High bobbylin
IDOR at http://firstbloodhackers.com:49369/drpanel/drapi/qp.php can be used to query patient data without doctor account CRITICAL 0xconft
Reflective XSS at http://firstbloodhackers.com:49369/register.php Medium 0xconft
Un-Authorized access to critical users PII through the vulnerable /attendees/event.php endpoint CRITICAL holybugx
Info leak for events and attendees including PII data CRITICAL xnl-h4ck3r
POST Based Reflected XSS on Login Medium smhtahsin33
Stored XSS on /drpanel/drapi/query.php?aptid High iffu
Reflected XSS via Javascript Scheme Medium smhtahsin33
Reflected XSS Medium smhtahsin33
IDOR - Restricted doctor can view all the details of the patient such as contact details etc. CRITICAL ibruteforce
Open Redirect /drpanel/logout.php Low iffu
IDOR on ma.php High jpdev
IDOR - Restricted user can view the details of hospital user. CRITICAL ibruteforce
IDOR 2 on ma.php - confirms numerical id for bug chain to report 127 without the need for drpanel High jpdev
It is possible to view patient's data as a new doctor CRITICAL 0xblackbird
Reflective XSS at http://firstbloodhackers.com:49421/login.php can be used to steal cookie Medium 0xconft
Stored XSS through the appointments cancelation message leading to account takeover CRITICAL holybugx
Open redirect on /drpanel/logout.php Low 0xblackbird
Leaked invite ID allows anyone to register for an account. High 0xblackbird
Potentially takeover other doctors account? High ibruteforce
Creating a new user with same username overrides old password which can lead to account takeover High 0xblackbird
Invitation code leaked on reddit High codersanjay
Doctor Invitation Code doesn't expire after first uage High 0xn00b
IDOR on newly registered doctor CRITICAL codersanjay
IDOR on /drpanel/drapi/qp.php endpoint CRITICAL codersanjay
Patient's can modify their information without authorization on "/manageappointment.php" endpoint High holybugx
Leak PII through the events API CRITICAL jomar
New Doctors can use the api to get patients data CRITICAL 0xn00b
Reflective XSS through the vulnerable ref header on /register.php endpoint Medium holybugx
Reflected xss on login.php Medium 0xblackbird
Event attendees leaked CRITICAL 0xn00b
Reflected XSS on register.php Medium 0xblackbird
Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter Medium holybugx
Reflected xss on register.php Medium 0xblackbird
Unauthenticated access to PII data on /drpanel/drapi/qp.php CRITICAL 0xblackbird
Hackerback event attendees information disclosed through /attendees/event.php CRITICAL 0xblackbird
Can know who are attending an HackerBack event CRITICAL codersanjay
P2 information disclosure of the users attending the events CRITICAL iffu
PII Creditcard information leaking via Event CRITICAL mava
Creating Admin account using a leaked token on r/BugBountyHunter and using restricted API calls . High th4nu0x0
Found a way to register as non-admin user High iffu
Stored XSS payload allowed in names when making an appointment can leak admin cookie High xnl-h4ck3r
Adding cookie to the request allows us to modify way more data then allowed High 0xblackbird
PII disclosure - I can see email,contact No of patients who is/has attending/attended the hackerback event CRITICAL thefawsec
[Two Tales of Info leak] Site setting can be accessed and leaked a "x-site-req" header. This header can be used to get HackerBack event attendees info. CRITICAL bobbylin
Emails and comments of other users can be changed using IDOR on aptID High holybugx
New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint CRITICAL holybugx
New doctors are able to view patient's private data through /drpanel/drapi/qp.php CRITICAL 0xblackbird
GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR High 0xblackbird
Authorisation vulnerabilities with cookies High xnl-h4ck3r
Reflected XSS on using the hidden "goto" parameter leads to Admin Account Takeover High holybugx
Information Disclosure allowing an attacker to register as a doctor High c3phas
Stored Cross site scripting CRITICAL d20s84
Privilege Escalation on /drpanel/drapi/query.php and /drpanel/drapi/query.php CRITICAL iffu
Application Logic allowing access to unauthorised information belonging to patients CRITICAL c3phas
IDOR found on /api/ma.php High rintox
Stored XSS on admin Side - Collaboration with Jomar High serizao
Application Logic Issue allowing a doctor who is not authorised to view patients information on the dashboard CRITICAL c3phas
script inclusion leads to phishing,ato,monitoring of clicks of the user [sxss] and intresting vulnerablity High prob_hakz
Stored XSS on /drpanel/drapi/query.php High 0xblackbird
sxss`leads to manything entire site manipulation CRITICAL prob_hakz
Info leak that leads to non admin login High d20s84
Stored XSS on /drpanel/drapi/query.php endpoint leading to Admin Account Takeover High holybugx
[COLLAB] Stored XSS on message param through appointment annulation allow admin ATO CRITICAL jomar
rxss leads to ato accountakeover Medium prob_hakz
Reflective XSS on Register page leading to leak of PII data Medium xnl-h4ck3r
Reflected xss on login.php leads to account takeover Medium 0xblackbird
Reflective XSS on Login page (requiring interaction), leading to leak of PII data Medium xnl-h4ck3r
Can change email when modifying an appointment High rintox
Account Creation with same Username overrides the one made before. High smhtahsin33
IDOR to view Patient Information from a Lower Privileged User CRITICAL smhtahsin33
IDOR in Search Patient Functionality Leads to PII Leakage CRITICAL smhtahsin33
DOM XSS Medium smhtahsin33
Patient's information can be obtained from a non admin account CRITICAL d20s84
Recently registered doctor account can still query /drpanel/drapi/qp.php & /drpanel/drapi/query.php CRITICAL 0xconft
Docauth cookie used to amend email - Additionally chained with Rpt 127 and 129 - This is the full report. High jpdev
Stored XSS on Admn API endpoint for querying Appointment High xnl-h4ck3r
Event is leaking attendees Personal information. CRITICAL th4nu0x0
a Doctor can cancel patient's appointments High twsec
Open Redirect via logout ref parameter Low codersanjay
Stored XSS on /manageappointment.php using the message parameter leading to account takeover High holybugx
Attacker can register a user name that has already been registered High xnl-h4ck3r
Stored XSS via malicious appointment message leads to ATO High jtcsec
Stored XSS on yourappointments.php can lead to account takeover High 0xblackbird
Stored XSS on cancelled.php endpoint High codersanjay
idor High prob_hakz
Reflected XSS on /login.php using ref parameter Medium iffu
CWE-601 Open Redirect on GET /drpanel/logout.php via ref param Low jpdev
[COLLAB] Query appointment with simple ID / Bypass front end restriction High jomar
Open Redirect Vulnerability Observed in the Firstbloodhacker.com Low netmous3
New Doctor Registration Invitation Code Leaked to the Public High netmous3
Reflected XSS on login Page via ref paramater Medium codersanjay
Critical PII of Patients Leaked to the Public CRITICAL netmous3
Reflected XSS via ref parameter on login Medium vermsec
Reflected XSS on register page Medium pichik
Email id can be modified for a patient High d20s84
PII Data of the Fistbloodhacker.com All patient's were Publicly Accessible High netmous3
Reflected XSS on /login.php using the GET paramter 'goto' Medium iffu
Open Redirect on /login.php via goto body parameter Low iffu
register as non admin doctor High twsec
Open redirect in logout function Low YouGina
a non admin doctor can still view patient information using the api High twsec
Hackerback Event Details Along with Attendee's Personal Information Exposed to Public CRITICAL netmous3
Stored XSS + stealing cookies through XSS hunter High vigilante
Cross Site Scripting vulnerability in client firstname/lastname High YouGina
Stored XSS on query.php via lname & fname parameter High vermsec
Researcher 'FirstBlood' Bugs RESPECT Points
holybugx 1614 disclosed 32500000
jtcsec 152 disclosed 30000000
0xblackbird 1516 disclosed 25500000
#4. jomar 93 disclosed 17500000
#5. xnl-h4ck3r 1111 disclosed 17500000
#6. ibruteforce 105 disclosed 16000000
#7. codersanjay 108 disclosed 15500000
#8. 0xconft 99 disclosed 14500000
#9. serizao 82 disclosed 14500000
#10. prob_hakz 104 disclosed 13000000
#11. iffu 99 disclosed 12500000
#12. smhtahsin33 98 disclosed 12000000
#13. jpdev 78 disclosed 12000000
#14. pichik 93 disclosed 12000000
#15. th4nu0x0 54 disclosed 9500000
#16. d20s84 65 disclosed 9000000
#17. shivam18u 60 disclosed 9000000
#18. panya 71 disclosed 9000000
#19. vigilante 61 disclosed 8500000
#20. mava 55 disclosed 7500000
#21. vermsec 54 disclosed 7500000
#22. rintox 44 disclosed 6000000
#23. netmous3 55 disclosed 6000000
#24. sh3llf1r3 50 disclosed 6000000
#25. bobbylin 44 disclosed 6000000
#26. twsec 33 disclosed 5500000
#27. parisk 31 disclosed 5500000
#28. 0xn00b 44 disclosed 4500000
#29. yashamin 40 disclosed 4500000
#30. c3phas 33 disclosed 4500000
#31. thefawsec 33 disclosed 4500000
#32. sumzer0 30 disclosed 4000000
#33. jonlaing 32 disclosed 3500000
#34. humboldtux 20 disclosed 3500000
#35. ribersec 20 disclosed 3000000
#36. egryan1 30 disclosed 3000000
#37. YouGina 22 disclosed 2500000
#38. xgxtr 20 disclosed 2000000
#39. iamvictorteh 10 disclosed 1000000
#40. sehno 10 disclosed 1000000
#41. tyrox 10 disclosed 500000
#42. flag_c0 10 disclosed 500000

FirstBlood Bugs


FirstBlood ID Description Type Found By
1 There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed. Open Redirect 36
2 The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug. Reflective XSS 14
3 The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed. Reflective XSS 10
4 The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes. Reflective XSS 7
5 The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted. IDOR 14
6 The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted. IDOR 16
7 The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment. Application/Business Logic 17
8 When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors Stored XSS 12
9 When cancelling an appointment, an attacker can add a malicious XSS payload that will execute on manageappointment. Any user (non authed) can view this and will be affected. Stored XSS 4
10 When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name Stored XSS 25
11 Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information. Application/Business Logic 31
12 If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error Auth issues 18
13 /attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees. Info leak 26
14 The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting Reflective XSS 3
15 A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use. Auth issues 26
16 The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page" Reflective XSS 5
17 Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers Auth issues 9