FirstBlood-#328Valid doctor credentials could be obtained without an invitation code
This issue was discovered on FirstBlood v2

On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

  1. Visit doctor registration page.
  2. Fill the form with admin as username and test as the invite code.
  3. Press on "Secure Register" button.

Actual result:

Registration will be successful. The message with valid creds will be shown:

Success! Your account has been created with the following credentials:

Username: admin
Password: PyI0OYm016

Please save this in a secure place.

Expected result:

The testing creds (test as the invite code) should not be working on production. The form should properly validate the filled invite code.


An attacker could get credentials to login as a doctor.

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.