FirstBlood-#689 — Bypass the invitation code and register your self as a doctor
This issue was discovered on FirstBlood v2
On 2021-10-27, 0xsaltyhash Level 3 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary:
In v1 of firstblood we were able to register as doctors by using a leaked invite code, but this has been fixed and the leaked code is no longer valid.
so in order for attacker to register and gain access to the drpanel, he/she needs to obtain a valid invite code.
the scope of firstblood v2 had something out of place, the word testing, so i tried to use test as invite code, and it worked!
Steps to reproduce:
- Go to /register.php page.
- Enter your desired username.
- In invite code field enter
test and submit the request.
- Observe that the registration is successful and the account is created.
P3 Medium
Endpoint: /register.php
Parameter: inviteCode
Payload: inviteCode=test
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.