FirstBlood-#380Easily guessed invited code on doctor register
This issue was discovered on FirstBlood v2

On 2021-10-25, neolex Level 2 reported:


It is possible to register a doctor because the invite code is easily guessable. The current invite code is test

Step to reproduce


You should make an invite code not easily guessable


Attackers can register as a doctor

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.