FirstBlood-#887 — Doctor Role can be obtained using leaked invite code
This issue was discovered on FirstBlood v2
On 2021-10-30, mrrootsec Level 2 reported:
Hello Zseano,Hope you are doing well..Say hi to Sebastian :)
Firstblood application is asking invite code when registering as a doctor. Invite code is being leaked in FirstBlood Scope & Policy .Using the leaked invite code anyone can register as doctor role.
Steps to Reproduce the Issue :
- Navigate to the FirstbloodV2 Program Scope and Policy
If you read carefully at the Credentials available paragraph test is being highlighted in the policy
- Then go to the https://719f36d6abd3-mrrootsec.a.firstbloodhackers.com/register.php
Provide any username and invite code from policy page and register. You can see the application validates the invite code and provide the access credentials
- As an attacker using this leaked invite code,attacker can register as doctor role and can impersonate the user by doing malicious activities.
Remediaton / Fix :
- Invite code & Tokens should be restricted to the public users.
Thanks and Regards
FirstBlood ID: 24
Vulnerability Type: Auth issues
The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.