holybugx has reached Level 4 with 75+ unique vulnerabilities discovered and they have proven to us that they understand web application vulnerabilities and how to discover them. If you run a bug bounty/vulnerability disclosure program and you are looking for an active, professional researcher, we recommend considering this user

holybugx

Rank #16 — Level 5

116
unique bugs discovered
184 hours, 47 minutes and 30 seconds active hacking time

127
reports accepted
98 Accuracy

Vulnerability Types Found

Bug Submissions & total bug count

Hackevent (FirstBlood) Activity

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
Open redirect on the logout.php endpoint [COLLAB]	FirstBlood v1	Low	`Open Redirect`
Un-Authorized users can access "/drpanel/drapi/qp.php" endpoint and access users PII [COLLAB]	FirstBlood v1	CRITICAL	`Auth issues`
Registring to the application as a doctor due to the leaked invitation code [COLLAB]	FirstBlood v1	High	`Auth issues`
New doctors can query appointments and users informations using vulnerable /drpanel/drapi/query.php endpoint	FirstBlood v1	CRITICAL	`Application/Business Logic`
Un-Authorized access to critical users PII through the vulnerable /attendees/event.php endpoint	FirstBlood v1	CRITICAL	`Information leak/disclosure`
Stored XSS through the appointments cancelation message leading to account takeover	FirstBlood v1	CRITICAL	`Stored XSS`
Patient's can modify their information without authorization on "/manageappointment.php" endpoint	FirstBlood v1	High	`Application/Business Logic`
Reflective XSS through the vulnerable ref header on /register.php endpoint	FirstBlood v1	Medium	`Reflective XSS`
Reflective XSS on /login.php endpoint through the vulnerable `ref` parameter	FirstBlood v1	Medium	`Reflective XSS`
Emails and comments of other users can be changed using IDOR on aptID	FirstBlood v1	High	`Insecure direct object reference`
New doctors can query appointments and users information using /drpanel/drapi/qp.php endpoint	FirstBlood v1	CRITICAL	`Application/Business Logic`
Reflected XSS on using the hidden "goto" parameter leads to Admin Account Takeover	FirstBlood v1	High	`Reflective XSS`
Stored XSS on /drpanel/drapi/query.php endpoint leading to Admin Account Takeover	FirstBlood v1	High	`Stored XSS`
Stored XSS on /manageappointment.php using the message parameter leading to account takeover	FirstBlood v1	High	`Stored XSS`
Reflected XSS on register.php through the ref parameter [Bypass]	FirstBlood v2	Medium	`Reflective XSS`
Stored XSS on /manageappointment.php using the message parameter [Bypass]	FirstBlood v2	High	`Stored XSS`
Reflected XSS on /login.php through the "goto" parameter leading to ATO	FirstBlood v2	Medium	`Reflective XSS`
Reflected XSS on /login.php using "goto" parameter and javascript scheme	FirstBlood v2	Medium	`Reflective XSS`
Stored XSS through the appointments cancelation message leads to ATO	FirstBlood v2	High	`Stored XSS`
Several Information leakage through vaccination proof list	FirstBlood v2	CRITICAL	`Information leak/disclosure`
Unauthorized access to edit password API leading to Account Takeover	FirstBlood v2	CRITICAL	`Auth issues`
Open Redirect on logout.php endpoint [Bypass]	FirstBlood v2	Low	`Open Redirect`
SQL Injection on /vaccination-manager/login.php through password parameter	FirstBlood v2	CRITICAL	`SQL Injection`
Stored XSS through the file upload and unsanitized User-Agent	FirstBlood v2	High	`Stored XSS`
Referer Based XSS on /login.php endpoint leading to ATO	FirstBlood v2	Medium	`Reflective XSS`
Cancelled appointments are still accessible through /manageappointment.php endpoint	FirstBlood v2	Low	`Application/Business Logic`
Insecure Deserialization leading to complete server takeover + Privesc	FirstBlood v2	CRITICAL	`Deserialization`
New doctors unauthorized access to patients management details	FirstBlood v2	Medium	`Application/Business Logic`

BugBountyHunter