FirstBlood-#101Invite codes do not expire after use
This issue was discovered on FirstBlood v1

On 2021-05-10, jpdev Level 3 reported:


It is possible to reuse invite codes to register multiple accounts on to the system. However reusing the Invite code deletes the previous account to use the code


POST /register.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
DNT: 1
Connection: close
Cookie: drps=d3caedab3f141960c4064dc80; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
Upgrade-Insecure-Requests: 1




The impact here is that you lose control of who is accessing the system once the invite code is out in the wild. At this point you are giving someone a foothold into your system .. another layer of the onion per se


Amend the invite system to have one use codes that expire after a time period has passed. This means that codes will expire once used or if enough time has elapsed causing it to expire.

P2 High

Endpoint: /register.php

Parameter: inviteCode

Payload: F16CA47250E445888824A9E63AE445CE

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.