FirstBlood-#101 — Invite codes do not expire after use
This issue was discovered on FirstBlood v1
On 2021-05-10, jpdev Level 3 reported:
It is possible to reuse invite codes to register multiple accounts on to the system. However reusing the Invite code deletes the previous account to use the code
POST /register.php HTTP/1.1 Host: firstbloodhackers.com:49335 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 74 Origin: http://firstbloodhackers.com:49335 DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49335/register.php Cookie: drps=d3caedab3f141960c4064dc80; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9 Upgrade-Insecure-Requests: 1 action=register&username=jpdev&inviteCode=F16CA47250E445888824A9E63AE445CE
The impact here is that you lose control of who is accessing the system once the invite code is out in the wild. At this point you are giving someone a foothold into your system .. another layer of the onion per se
Amend the invite system to have one use codes that expire after a time period has passed. This means that codes will expire once used or if enough time has elapsed causing it to expire.
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.