FirstBlood-#328 — Valid doctor credentials could be obtained without an invitation code
This issue was discovered on FirstBlood v2
On 2021-10-25, panya 
Level 7
reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Steps to reproduce:
- Visit doctor registration page.
- Fill the form with
admin as username and test as the invite code.
- Press on "Secure Register" button.
Actual result:
Registration will be successful. The message with valid creds will be shown:
Success! Your account has been created with the following credentials:
Username: admin
Password: PyI0OYm016
Please save this in a secure place.
Expected result:
The testing creds (test as the invite code) should not be working on production.
The form should properly validate the filled invite code.
Impact:
An attacker could get credentials to login as a doctor.
P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.