Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles Hackevents are virtual live hacking events to motivate & encourage our members as well as enable them to collaborate with each other. Learn more about our hackevents here.
Scope: 'FirstBloodHackers' (version 1.0)
Please note the parts of text below (describing the web app) and information on our web application is satire.
"FirstBlood" is a hospital that understands and care for everyone. Yes, everyone.
The world is a beautiful place, and so are you. Humans are so gifted we possess the ability to spread & share love which as a result makes others' feel good. Isn't that amazing?! We embrace love here at FirstBloodHackers and make sure you are looked after and we'll do our best to hack you back on track! Spread a little love today.
It is absolutely fine to stream/record yourself hacking on FirstBlood as well as making educational content using the web application
Available functionality
HackerCamps: "Fixing HackerBack".
Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking.
Book and manage your appointment with us safely and securely. Let us know your allergies so we can do our best to look after you. If you are unable to make your appointment then please make sure to cancel your appointment. We don't like it when people appointments and do not let us know.
Credentials available
You can login as ADMINISTRATOR with the following credentials: unauthorised to view!. This account has full access to everything on the portal. We are unable to provide you with a non administrator account, however if you are able to figure out how to obtain one then we give you full permission to play around with these.
Level 5
16 unique findings
14 reports disclosed
Level 4
15 unique findings
2 reports disclosed
Level 5
15 unique findings
16 reports disclosed
| Researcher | 'FirstBlood' Bugs | Hacking Time | RESPECT |
|---|---|---|---|
| holybugx Level 5 | 16 — 14 disclosed | 1 days, 6 hours, 10 minutes and 35 seconds |
32.5M |
| jtcsec Level 4 | 15 — 2 disclosed | 1 days, 20 hours, 46 minutes and 59 seconds |
30.0M |
| 0xblackbird Level 5 | 15 — 16 disclosed | 0 days, 8 hours, 56 minutes and 56 seconds |
25.5M |
| #4. jomar Level 4 | 9 — 3 disclosed | 0 days, 21 hours, 23 minutes and 48 seconds |
17.5M |
| #5. xnl-h4ck3r Level 4 | 11 — 11 disclosed | 2 days, 8 hours, 1 minutes and 43 seconds |
17.5M |
| #6. ibruteforce Level 4 | 10 — 5 disclosed | 1 days, 0 hours, 18 minutes and 33 seconds |
16.0M |
| #7. codersanjay Level 3 | 10 — 8 disclosed | 1 days, 5 hours, 27 minutes and 22 seconds |
15.5M |
| #8. serizao Level 2 | 8 — 2 disclosed | 0 days, 13 hours, 50 minutes and 1 seconds |
14.5M |
| #9. 0xconft Level 5 | 9 — 9 disclosed | 1 days, 22 hours, 22 minutes and 18 seconds |
14.5M |
| #10. thesecguy Level 2 | 10 — 4 disclosed | 2 days, 5 hours, 59 minutes and 42 seconds |
13.0M |
| #11. iffu Level 5 | 9 — 9 disclosed | 2 days, 23 hours, 18 minutes and 18 seconds |
12.5M |
| #12. smhtahsin33 Level 3 | 9 — 8 disclosed | 0 days, 4 hours, 41 minutes and 28 seconds |
12.0M |
| #13. jpdev Level 3 | 7 — 8 disclosed | 0 days, 22 hours, 23 minutes and 55 seconds |
12.0M |
| #14. pichik Level 4 | 9 — 4 disclosed | 2 days, 9 hours, 23 minutes and 40 seconds |
12.0M |
| #15. th4nu0x0 Level 2 | 5 — 4 disclosed | 0 days, 7 hours, 13 minutes and 24 seconds |
9.5M |
| #16. d20s84 Level 3 | 6 — 5 disclosed | 0 days, 19 hours, 30 minutes and 1 seconds |
9.0M |
#17.
panya  Level 7
|
7 — 1 disclosed | 0 days, 7 hours, 37 minutes and 57 seconds |
9.0M |
| #18. shivam18u Level 3 | 6 — 0 disclosed | 1 days, 13 hours, 10 minutes and 29 seconds |
9.0M |
| #19. vigilante Level 4 | 6 — 1 disclosed | 2 days, 2 hours, 18 minutes and 28 seconds |
8.5M |
| #20. mava Level 2 | 5 — 5 disclosed | 0 days, 18 hours, 57 minutes and 55 seconds |
7.5M |
| #21. vermsec Level 4 | 5 — 4 disclosed | 0 days, 13 hours, 32 minutes and 7 seconds |
7.5M |
| #22. bobbylin Level 4 | 4 — 4 disclosed | 1 days, 1 hours, 50 minutes and 49 seconds |
6.0M |
| #23. sh3llf1r3 Level 6 | 5 — 0 disclosed | 0 days, 8 hours, 59 minutes and 38 seconds |
6.0M |
| #24. rintox Level 3 | 4 — 4 disclosed | 0 days, 7 hours, 46 minutes and 30 seconds |
6.0M |
| #25. netmous3 Level 4 | 5 — 5 disclosed | 2 days, 16 hours, 4 minutes and 10 seconds |
6.0M |
| #26. parisk Level 4 | 3 — 1 disclosed | 0 days, 13 hours, 53 minutes and 5 seconds |
5.5M |
| #27. twsec Level 2 | 3 — 3 disclosed | 0 days, 19 hours, 46 minutes and 58 seconds |
5.5M |
| #28. yashamin Level 2 | 4 — 0 disclosed | 0 days, 10 hours, 32 minutes and 8 seconds |
4.5M |
| #29. 0xSaltyHash Level 3 | 4 — 4 disclosed | 0 days, 15 hours, 12 minutes and 47 seconds |
4.5M |
| #30. thefawsec Level 2 | 3 — 3 disclosed | 0 days, 10 hours, 25 minutes and 45 seconds |
4.5M |
| #31. c3phas Level 4 | 3 — 3 disclosed | 0 days, 12 hours, 31 minutes and 46 seconds |
4.5M |
| #32. sumzer0 Level 2 | 3 — 0 disclosed | 0 days, 23 hours, 4 minutes and 35 seconds |
4.0M |
| #33. jonlaing Level 2 | 3 — 2 disclosed | 1 days, 9 hours, 19 minutes and 42 seconds |
3.5M |
| #34. humboldtux Level 3 | 2 — 0 disclosed | 0 days, 4 hours, 15 minutes and 35 seconds |
3.5M |
| #35. ribersec Level 3 | 2 — 0 disclosed | 0 days, 10 hours, 48 minutes and 35 seconds |
3.0M |
| #36. egryan1 Level 2 | 3 — 0 disclosed | 0 days, 21 hours, 37 minutes and 50 seconds |
3.0M |
| #37. YouGina Level 3 | 2 — 2 disclosed | 0 days, 1 hours, 45 minutes and 18 seconds |
2.5M |
| #38. xgxtr Level 2 | 2 — 0 disclosed | 0 days, 3 hours, 1 minutes and 51 seconds |
2.0M |
| #39. iamvictorteh Level 6 | 1 — 0 disclosed | 1 days, 7 hours, 32 minutes and 30 seconds |
1.0M |
| #40. sehno Level 3 | 1 — 0 disclosed | 0 days, 5 hours, 4 minutes and 22 seconds |
1.0M |
| #41. flag_c0 Level 5 | 1 — 0 disclosed | 1 days, 0 hours, 36 minutes and 35 seconds |
500K |
| #42. tyrox Level 2 | 1 — 0 disclosed | 0 days, 10 hours, 15 minutes and 35 seconds |
500K |
FirstBlood Bugs
| Description | Type | Found By |
|---|---|---|
| There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed. | Open Redirect |
38 |
| The parameter "goto" is vulnerable to XSS on login.php. The web application makes use of a WAF but this can be bypassed as it's only looking for certain HTML tags and event handlers. It is also vulnerable to open redirect but XSS is the intended bug. | Reflective XSS |
16 |
| The parameter "ref" is vulnerable to XSS on login.php. The developer has tried to prevent a malicious actor from redirecting to a javascript URI but the attempt to stop this was poor and thus it can be bypassed. | Reflective XSS |
11 |
| The parameter "ref" is vulnerable to XSS on register.php. The developer made use of htmlentities but this is inadequate as the HREF is wrapped in single quotes. | Reflective XSS |
7 |
| The endpoint QA.php (to query for an appointment) will allow for integer values to be used when querying for appointments. A bad cause of security through obscurity was attempted. | Insecure direct object reference |
15 |
| The endpoint MA.php (to modify an appointment) will allow for integer values to be used when modifying appointments. A bad cause of security through obscurity was attempted. | Insecure direct object reference |
16 |
| The endpoint MA.php (to modify an appointment) only allows for certain values to be modified, however due to some application logic error, if the user has tried to signup as a doctor and has the cookie "doctorAuthed" set, then it allows them to modify the email address for any appointment. | Application/Business Logic |
17 |
| When cancelling an appointment, an attacker can add a malicious XSS payload that will execute against administrators/doctors | Stored XSS |
13 |
| When cancelling an appointment, an attacker can add a malicious XSS payload that will execute on manageappointment. Any user (non authed) can view this and will be affected. | Stored XSS |
4 |
| When creating an appointment, it is possible to get stored XSS /drapi/query.php via the patients name | Stored XSS |
25 |
| Administrator endpoints can be accessed by non privileged doctor accounts which reveals sensitive patient information. | Application/Business Logic |
31 |
| If the request method is changed from POST to GET, then the endpoint /drapi/qp.php becomes available to ANY user due to an application logic error | Auth issues |
18 |
| /attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees. | Information leak/disclosure |
26 |
| The parameter "goto" is vulnerable to XSS on login.php. The web application fails to filter the javascript URI upon redirecting | Reflective XSS |
3 |
| A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use. | Auth issues |
26 |
| The parameter "ref" is vulnerable to XSS on register.php. The developers failed to filter javascript: when used on "return to previous page" | Reflective XSS |
5 |
| Unintended: An account with the same username can be created which leads to the original account being deleted and replaced with the attackers | Auth issues |
9 |
