shreky


Rank #43 Level 5



100
unique bugs discovered
184 hours, 45 minutes and 24 seconds active hacking time

116
reports accepted
97 Accuracy

Vulnerability Types Found

Bug Submissions & total bug count


Hackevent (FirstBlood) Activity

Report Title Event ID Severity Vulnerability Type
[COLLAB with isitbug] XSS Bypassed FirstBlood v2 Medium Reflective XSS
[COLLAB with isitbug] Reflected XSS bypassed FirstBlood v2 Medium Reflective XSS
[COLLAB with isitbug] Old admin credentials still work FirstBlood v2 Informative
[COLLAB with isitbug] Reflected XSS via message on cancelled appointment FirstBlood v2 High Stored XSS
[COLLAB with isitbug] Still able to modify email on appointment FirstBlood v2 Medium Application/Business Logic
[COLLAB with isitbug] Invite code is literally "test" FirstBlood v2 Medium Auth issues
[COLLAB with isitbug] Blind LFI on /api/checkproof.php FirstBlood v2 Low Information leak/disclosure
[COLLAB with itisbug] Non admin doctor can search patients through api FirstBlood v2 Medium Application/Business Logic
[COLLAB with isitbug] Stored XSS via cancelled appointment's message that executes on doctors FirstBlood v2 High Stored XSS
[COLLAB with isitbug] Open redirect bypass on logout FirstBlood v2 Low Open Redirect
[COLLAB with isitbug] Able to change doctor passwords via admin API that is accessible by any doctor FirstBlood v2 CRITICAL Application/Business Logic
[COLLAB with isitbug] Information disclosure on multiple API endpoints FirstBlood v2 CRITICAL Information leak/disclosure
[COLLAB with isitbug] RCE through file upload deserialization FirstBlood v2 CRITICAL Deserialization
[COLLAB isitbug] SQL Injection on Vaccination Management login page leading to unauthorized access to the panel FirstBlood v2 CRITICAL SQL Injection
[COLLAB with isitbug] Blind XSS through User-Agent header on Vaccination Management portal affecting admins FirstBlood v2 High Stored XSS
[COLLAB with isitbug] Account takeover of TestDoctor with drps=%20 cookie FirstBlood v2 High Application/Business Logic