FirstBlood-#809 — An account with the same username can be created which leads to the original account being deleted and replaced with the attackers
This issue was discovered on FirstBlood v2
On 2021-10-28, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
In version 1 of First Blood, an account with the same username could be created which leads to the original account being deleted and replaced with the attackers. This doesn't to have been fixed. As long as a new user is created between the first and the replacement, it is accepted and overwriten
Steps to reproduce
-
Go to /register.php and enter a Username of xnluser1 and the Unique invite code of test to create a new account:
-
Try to enter the same Username of xnluser1 and the Unique invite code of test again to replace that account. This now fails because it has been "fxed":
-
Now create a different user, e.g. xnluser2 which is successful:
-
Now enter a Username of xnluser1 and the Unique invite code of test (as done in Step 1 and Step 2), but this time the registration is successful and a new password is given for the account xnluser1:
Impact
An attacker can register with a user name that already exists and replace that account.
P3 Medium
Endpoint: /register.php
Parameter: username
Payload: n/a
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.