FirstBlood-#509Weak unique invite code for registering doctor account
This issue was discovered on FirstBlood v2

On 2021-10-25, 0xconft Level 5 reported:

Hi there,

I tested that inviteCode parameter is accepting "test" as the invite code. and i can use this invite code to create doctor account. i can also use it again to create another account, but my previous account that i created with that invite code will be deleted


POST /register.php HTTP/1.1
Content-Length: 51
Cache-Control: max-age=0
Sec-Ch-Ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close




                                        <div style="padding: 5px 5px 5px 5px; border: 2px solid green;">
                    Success! Your account has been created with the following credentials:
                    <b>Username: bobbuilder</b> <br> <b>Password: 1t60wIqPwP</b>

Best Regards, 0xconft

P3 Medium

Endpoint: /register.php

Parameter: inviteCode

Payload: test

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.