FirstBlood-#436 — A doctors invite code is easily guessable and grants anyone access to the doctor portal and patient PII data
This issue was discovered on FirstBlood v2
On 2021-10-25, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
It is possible due to a number of vulnerabilities that an attacker is able to register on the app and obtain all patient PII data.
On endpoint /register.php it says:
Note: Doctor accounts are pre-made so please enter your username and invite code to activate your account
- Firstly, an invite code of
test is easily guessable while they are testing their new version.
- Secondly, an invite code can be used multiple times so an attacker has the opportunity to make use of this code even if used before.
- Thirdly, an attacker is able to register using any user name, not just a Doctor account that has been pre-made (although likely usernames are on
/doctors.html).
Once registered, the attacker can then access the Management panel on /drpanel/index.php. The user is informed with Warning: As your account has been recently registered you will not be able to view patient information yet.
The attacker has access to patients full names who have appointments that day, and who have cancelled appointments.
Steps To Reproduce
- Go to
/register.php, enter a user name and Unique invite code of test
- Log in as the new user, and observe the message below:
Impact
Authorisation controls can be bypassed allowed new users access to patient appointment PII data
P3 Medium
Endpoint: /register.php
Parameter: n/a
Payload: test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.