holybugx


Rank #18 Level 5



116
unique bugs discovered
184 hours, 47 minutes and 30 seconds active hacking time

127
reports accepted
98 Accuracy

Vulnerability Types Found

Bug Submissions & total bug count


Hackevent (FirstBlood) Activity

Report Title Event ID Severity Vulnerability Type
Open redirect on the logout.php endpoint [COLLAB] FirstBlood v1 Low Open Redirect
Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB] FirstBlood v1 CRITICAL Auth issues
Registring to the application as a doctor due to the leaked invitation code [COLLAB] FirstBlood v1 High Auth issues
New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint FirstBlood v1 CRITICAL Application/Business Logic
Un-Authorized access to critical users PII through the vulnerable /attendees/event.php endpoint FirstBlood v1 CRITICAL Information leak/disclosure
Stored XSS through the appointments cancelation message leading to account takeover FirstBlood v1 CRITICAL Stored XSS
Patient's can modify their information without authorization on "/manageappointment.php" endpoint FirstBlood v1 High Application/Business Logic
Reflective XSS through the vulnerable ref header on /register.php endpoint FirstBlood v1 Medium Reflective XSS
Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter FirstBlood v1 Medium Reflective XSS
Emails and comments of other users can be changed using IDOR on aptID FirstBlood v1 High Insecure direct object reference
New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint FirstBlood v1 CRITICAL Application/Business Logic
Reflected XSS on using the hidden "goto" parameter leads to Admin Account Takeover FirstBlood v1 High Reflective XSS
Stored XSS on /drpanel/drapi/query.php endpoint leading to Admin Account Takeover FirstBlood v1 High Stored XSS
Stored XSS on /manageappointment.php using the message parameter leading to account takeover FirstBlood v1 High Stored XSS
Reflected XSS on register.php through the ref parameter [Bypass] FirstBlood v2 Medium Reflective XSS
Stored XSS on /manageappointment.php using the message parameter [Bypass] FirstBlood v2 High Stored XSS
Reflected XSS on /login.php through the "goto" parameter leading to ATO FirstBlood v2 Medium Reflective XSS
Reflected XSS on /login.php using "goto" parameter and javascript scheme FirstBlood v2 Medium Reflective XSS
Stored XSS through the appointments cancelation message leads to ATO FirstBlood v2 High Stored XSS
Several Information leakage through vaccination proof list FirstBlood v2 CRITICAL Information leak/disclosure
Unauthorized access to edit password API leading to Account Takeover FirstBlood v2 CRITICAL Auth issues
Open Redirect on logout.php endpoint [Bypass] FirstBlood v2 Low Open Redirect
SQL Injection on /vaccination-manager/login.php through password parameter FirstBlood v2 CRITICAL SQL Injection
Stored XSS through the file upload and unsanitized User-Agent FirstBlood v2 High Stored XSS
Referer Based XSS on /login.php endpoint leading to ATO FirstBlood v2 Medium Reflective XSS
Cancelled appointments are still accessible through /manageappointment.php endpoint FirstBlood v2 Low Application/Business Logic
Insecure Deserialization leading to complete server takeover + Privesc FirstBlood v2 CRITICAL Deserialization
New doctors unauthorized access to patients management details FirstBlood v2 Medium Application/Business Logic