FirstBlood-#540Test Credentials are still working
This issue was discovered on FirstBlood v2

On 2021-10-26, d20s84 Level 3 reported:

Hi Sean!! New day new Vuln!! I realized that the test credentials are still working on the register page.

Summary :

Test credentials are still working through which anyone can register as a doctor and imporsonate the doctor .

How ?

I read the scope of the program once again expecting that i would get something for sqli but ended up finding this. LOL!!

After some non fruitful tries on login,php/ endpoint i moved to register.php. Took a name from doctors.php/ endpoint and submitted it in username.In the invite code section i submitted test and clicked on the register button. Boom!!


Attacker can impersonate as a doctor and look through the patient portal.

P.s: I am sorry for one of the screenshots that contains the discord msg. Actually I was discussing with thatman about the testcases for login.php . I just saw it and edited the report.

P3 Medium

Endpoint: /register.php

Parameter: invitecode=test

Payload: -

FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.