FirstBlood-#1013 Default credentials on login page
This issue was discovered on FirstBlood v3

On 2022-12-08, lumbridge7 Level 4 reported:

Hello firstblood team!


Many web applications and hardware devices have default passwords for the built-in administrative account. Although in some cases these can be randomly generated, they are often static, meaning that they can be easily guessed or obtained by an attacker.

Additionally, when new users are created on the applications, these may have predefined passwords set. These could either be generated automatically by the application, or manually created by staff. In both cases, if they are not generated in a secure manner, the passwords may be possible for an attacker to guess or to brute force with a credentials wordlist such as

Steps to reproduce

  1. go to
  2. log in with the credentials admin:admin
  3. get access to the doctor dashboard



Anyone is able to access the doctor dashboard with administrative privileges by guessing or burteforcing the credentials and the drId.


Endpoint: /login.php

Parameter: null

Payload: null

FirstBlood ID: 48
Vulnerability Type: Auth issues

The /drpanel/login.php endpoint contains weak credentials which allows users to access the admin panel (admin:admin)