FirstBlood-#187 — Information Disclosure allowing an attacker to register as a doctor
This issue was discovered on FirstBlood v1
On 2021-05-11, c3phas Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summery
Hi, I found (After so many days of scratching my head) an information disclosure on reddit which leaks an invite code allowing one to register as a doctor.
On register.php a doctor must have an invite-code inorder to be registered.
Doing some dorking I came across a post on reddit which leaked a code
Using the above code I was able to register an account as a doctor
Impact
Anyone can get an account as a doctor
P2 High
Endpoint: /register.php
Parameter: invite-code
Payload: NA
FirstBlood ID: 15
Vulnerability Type: Auth issues
A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.