FirstBlood-#377Unique invite code bypass
This issue was discovered on FirstBlood v2

On 2021-10-25, vigilante Level 4 reported:


It is possible to create a new account with the test/test credentials instead of using a unique invite code.

Steps to reproduce

  1. Navigate to services > Doctor login
  2. Click on the register here url
  3. Use username:test and unique invite code:test, click on "Secure register".
  4. You'll will get a message that you've successfully created an account.

Success! Your account has been created with the following credentials:

Username: test Password: Kpu2K8iIta

POST /register.php HTTP/1.1
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
Te: trailers
Connection: close




It is possible to bypass the unique code requirement, it looks like some test credentials made it to production and we can use the word "test" when creating new accounts.

P3 Medium

Endpoint: /register.php

Parameter: inviteCode=

Payload: test

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.