Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles Scope: 'FirstBloodHackers' (version 3.0)
Please note some parts of text below is satire to describe the web application. The policy is here to help you understand the importance of reading a bug bounty program policy and knowing what's in scope etc before hacking.
"FirstBlood" is a hospital that understands and care for everyone. Yes, everyone.
The world is a beautiful place, and so are you. Humans are so gifted we possess the ability to spread & share love which as a result makes others' feel good. Isn't that amazing?! We embrace love here at FirstBloodHackers and make sure you are looked after and we'll do our best to hack you back on track! Spread a little love today.
From us at the team of FirstBloodHackers again, we want to thank you so much for your help on FirstBlood v1 and v2! We've addressed many of the issues reported however be sure to read our policy below which mentions some issues we don't consider a bug.
- - We don't consider viewing another users appointment as the ID is GUID4 and it's up to the users not to leak this , however if it can be leaked on our site without the use of XSS then that is something we consider an issue as we have various new API calls
- - We do not consider lack of CSRF when joining a health camp an issue.
- - We do not consider lack of rate limits an issue as this is not something yet implemented.
Available functionality
Get to know our hospital and the services we provide as well as our available doctors.
HackerCamps: "Fixing HackerBack".
Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking. Now you can submit information to join them!
Book and manage your appointment with us safely and securely. Let us know your allergies so we can do our best to look after you. Now you can assign a doctor (if available) as well as track your ambulance (if enabled)
A helping hand (this is not satire!)
It is okay to scan for files/directories but just be wary on why you're running them and what you're maybe trying to find.Browse older versions of FirstBlood and check for differences!
Level 8FirstBlood Bugs
| ID | Description | Type | Found By |
|---|---|---|---|
| 45 | The endpoint about.php was introduced to replace about.html, but code on about.html introduces an XSS vulnerability via the javascript: URI | Reflective XSS |
42 |
| 46 | The endpoint book-appointment.php was introduced to replace book-appointment.html, but code on book-appointment.html introduces an XSS vulnerability via the javascript: URI | Reflective XSS |
36 |
| 47 | The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter | Reflective XSS |
42 |
| 48 | The /drpanel/login.php endpoint contains weak credentials which allows users to access the admin panel (admin:admin) | Auth issues |
57 |
| 49 | Users can modify their name/dob via the header parameters on modify-appointment.php despite this being restricted on the web application | Application/Business Logic |
19 |
| 52 | The endpoint /drpanel/drapi/editpassword.php still allows an unauthenticated user to modify the password of any account if the username is known. The username was renamed from previous versions from drAdmin to admin | Auth issues |
41 |
| 53 | It is possible to achieve stored XSS on /api/ambulances.php?select={id} via the users first/last name. For this to work the parameter ambulance=1 must be set | Stored XSS |
37 |
| 54 | It is possible to achieve stored XSS on the /meet_drs.php endpoint via a malicious doctors name | Stored XSS |
32 |
| 55 | It is possible to achieve stored XSS on the /doctors.php endpoint via a malicious doctors name | Stored XSS |
32 |
| 56 | It is possible to achieve stored XSS on the /about.php endpoint via a malicious doctors name | Stored XSS |
27 |
| 57 | It is possible to achieve stored XSS on the /manageappointment.php endpoint via a malicious doctors name if the user has booked this specific doctor | Stored XSS |
27 |
| 58 | There is a CSRF vulnerability on /drpanel/edit-dr.php via a GET request and lack of token validation. It was intended that a POST request does not work due to no cookies sent on the request (because of SameSite), but to an over sight this cookie was overwritten rendering it useless. | Cross Site Request Forgery |
40 |
| 59 | It is possible to execute XSS against the admin via the PHONE parameter on /api/hackerback.php. The developer thought setting the input type to "tel" would prevent users from entering malicious payloads. | Stored XSS |
48 |
| 60 | The parameter "photoUrl" on /drapi/edit-dr.php should only allow for relative URL paths but this can be bypassed. | Application/Business Logic |
4 |
| 61 | It mentions that doctor photos can NOT be modified but it is actually possible to modify them | Application/Business Logic |
21 |
| 62 | The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3 | Broken access control |
17 |
| 63 | The endpoint /edit-doctors.php is vulnerable to reflective XSS via the ?id parameter | Reflective XSS |
34 |
| 64 | There is a stored XSS vulnerability on meet_drs.php from the photo of the doctor | Stored XSS |
15 |
| 65 | There is a stored XSS vulnerability on about.php via the photo of doctor ID 3 | Stored XSS |
13 |
| 66 | It is possible to leak doctors private information such as email and phone number via the /api/doctors.php endpoint. No authentication is needed. | Information leak/disclosure |
24 |
| 67 | It is possible to book an unavailable doctor | Application/Business Logic |
35 |
| 68 | The open redirect on /drpanel/logout.php remains unfixed | Open Redirect |
34 |
| 70 | Doctors can have taglines set however the tagline is vulnerable to stored XSS on meet_drs.php | Stored XSS |
21 |
| 71 | The endpoint /api/ambulances.php leaks patient information if the parameter ?select=all is supplied | Information leak/disclosure |
24 |
| 72 | Login attempts were logged on an internal panel on firstblood-helper.com and the username is vulnerable to blind XSS affecting FirstBlood staff | Stored XSS |
20 |
| 73 | The endpoint /api/manageambulances.php will respond to an unauthenticated PUT request which allows an attacker to modify the information | Stored XSS |
19 |
| 74 | It is possible to achieve stored XSS via the doctors bio on about.php (doctor ID 3) and meet_drs.php (only doctor ID 1 and 2 are affected) | Stored XSS |
14 |
| 75 | An unauthenticated user can modify doctors via a PUT request on the /api/managedoctors.php endpoint | Broken access control |
23 |
| 76 | There is a stored XSS vulnerability on /ambulances.php via a malicious drivers name | Stored XSS |
16 |
| 77 | Sending an unauthenticated DELETE request to /api/manageambulances.php will cause that ambulance to be deleted | Broken access control |
6 |
| 78 | When booking an appointment with the ambulance value set to "1", the users full name is vulnerable to stored XSS on the internal admin panel "firstblood-helper.com" | Stored XSS |
12 |
| User | Submissions | Valid Bugs | Bounties | Hacking Time |
|---|---|---|---|---|
ayush1098  Level 7 |
30 | 30 | 7 | 1 days, 3 hours, 11 minutes and 51 seconds |
| iamvictorteh Level 6 | 30 | 30 | 5 | 5 days, 0 hours, 9 minutes and 4 seconds |
| mr_xhunt Level 7 |
29 | 29 | 4 | 1 days, 18 hours, 51 minutes and 48 seconds |
| ar6aaz Level 3 | 27 | 27 | 4 | 1 days, 6 hours, 41 minutes and 22 seconds |
| didsec Level 5 | 26 | 26 | 6 | 2 days, 16 hours, 49 minutes and 27 seconds |
| naka Level 5 | 26 | 26 | 6 | 0 days, 18 hours, 31 minutes and 13 seconds |
| buraaq Level 2 | 26 | 26 | 3 | 1 days, 11 hours, 33 minutes and 18 seconds |
| isitbug Level 3 | 26 | 26 | 3 | 0 days, 19 hours, 51 minutes and 30 seconds |
| eliee Level 7 |
26 | 26 | 3 | 1 days, 2 hours, 8 minutes and 47 seconds |
| aleng Level 5 | 26 | 26 | 4 | 2 days, 10 hours, 5 minutes and 0 seconds |
| xnl-h4ck3r Level 4 | 26 | 26 | 2 | 2 days, 19 hours, 42 minutes and 0 seconds |
| pichik Level 4 | 26 | 26 | 6 | 3 days, 11 hours, 56 minutes and 16 seconds |
| bhvrvt Level 2 | 25 | 25 | 3 | 2 days, 11 hours, 23 minutes and 25 seconds |
| 0xblackbird Level 5 | 25 | 25 | 1 | 1 days, 3 hours, 53 minutes and 9 seconds |
| poorduck Level 5 | 24 | 24 | 5 | 1 days, 11 hours, 32 minutes and 22 seconds |
| gh0st10 Level 6 | 23 | 23 | 1 | 0 days, 20 hours, 59 minutes and 40 seconds |
| vermsec Level 4 | 23 | 23 | 1 | 1 days, 22 hours, 43 minutes and 4 seconds |
| cyberbishop Level 3 | 20 | 20 | 0 | 1 days, 8 hours, 38 minutes and 5 seconds |
| twsec Level 2 | 19 | 19 | 2 | 2 days, 5 hours, 14 minutes and 0 seconds |
| srb1mal Level 4 | 17 | 17 | 3 | 0 days, 14 hours, 3 minutes and 2 seconds |
| flag_c0 Level 5 | 17 | 17 | 7 | 0 days, 21 hours, 38 minutes and 53 seconds |
| asura57 Level 4 | 17 | 17 | 3 | 0 days, 11 hours, 30 minutes and 20 seconds |
| thane Level 5 | 14 | 14 | 1 | 1 days, 4 hours, 3 minutes and 21 seconds |
| twodash Level 5 | 12 | 12 | 2 | 3 days, 0 hours, 6 minutes and 19 seconds |
| karvash Level 4 | 12 | 12 | 2 | 4 days, 9 hours, 14 minutes and 41 seconds |
| axe Level 4 | 11 | 11 | 1 | 1 days, 16 hours, 8 minutes and 46 seconds |
| iakdh Level 4 | 10 | 10 | 2 | 1 days, 0 hours, 34 minutes and 0 seconds |
| luisk2 Level 3 | 10 | 10 | 0 | 0 days, 20 hours, 26 minutes and 35 seconds |
| veshraj Level 4 | 9 | 9 | 2 | 0 days, 20 hours, 59 minutes and 2 seconds |
| th4nu0x0 Level 2 | 9 | 9 | 2 | 0 days, 6 hours, 31 minutes and 17 seconds |
| n1ghtmar3 Level 2 | 9 | 9 | 0 | 0 days, 12 hours, 17 minutes and 42 seconds |
| programmerboy Level 2 | 9 | 9 | 0 | 1 days, 19 hours, 0 minutes and 5 seconds |
| zeeshan1337 Level 2 | 8 | 8 | 0 | 0 days, 11 hours, 39 minutes and 29 seconds |
| hunter1104 Level 5 | 8 | 8 | 0 | 1 days, 1 hours, 27 minutes and 1 seconds |
| properlay Level 7 |
7 | 7 | 4 | 0 days, 7 hours, 47 minutes and 4 seconds |
| agentmellow Level 3 | 7 | 7 | 2 | 0 days, 12 hours, 41 minutes and 34 seconds |
| adityarana1337 Level 5 | 6 | 6 | 0 | 0 days, 5 hours, 14 minutes and 40 seconds |
| lzyzywy Level 3 | 5 | 5 | 1 | 0 days, 0 hours, 55 minutes and 19 seconds |
| thecast Level 3 | 5 | 5 | 0 | 0 days, 5 hours, 32 minutes and 45 seconds |
| severelylacking Level 2 | 5 | 5 | 0 | 0 days, 2 hours, 55 minutes and 48 seconds |
| lumbridge7 Level 4 | 4 | 4 | 2 | 0 days, 12 hours, 31 minutes and 47 seconds |
| rbl Level 4 | 4 | 4 | 0 | 1 days, 3 hours, 41 minutes and 20 seconds |
| ankitkarn Level 3 | 4 | 4 | 0 | 0 days, 6 hours, 27 minutes and 23 seconds |
| lunaticcalm Level 2 | 3 | 3 | 1 | 0 days, 3 hours, 29 minutes and 50 seconds |
| parisk Level 4 | 3 | 3 | 0 | 0 days, 4 hours, 15 minutes and 5 seconds |
| chaser Level 3 | 3 | 3 | 0 | 0 days, 4 hours, 50 minutes and 36 seconds |
| zonkism Level 2 | 3 | 3 | 0 | 0 days, 12 hours, 13 minutes and 12 seconds |
| yougina Level 3 | 3 | 3 | 0 | 0 days, 3 hours, 31 minutes and 50 seconds |
| t3igger84 Level 5 | 3 | 3 | 0 | 1 days, 5 hours, 54 minutes and 53 seconds |
| mrrootsec Level 2 | 3 | 3 | 0 | 0 days, 9 hours, 40 minutes and 43 seconds |
| amec0e Level 3 | 3 | 3 | 0 | 0 days, 12 hours, 29 minutes and 35 seconds |
| ldv Level 2 | 3 | 3 | 0 | 0 days, 14 hours, 36 minutes and 35 seconds |
| sumanth Level 3 | 2 | 2 | 0 | 0 days, 3 hours, 14 minutes and 16 seconds |
| Aituglo Level 2 | 2 | 2 | 0 | 0 days, 0 hours, 0 minutes and 0 seconds |
| fsec Level 3 | 2 | 2 | 0 | 0 days, 23 hours, 4 minutes and 24 seconds |
| y09358 Level 2 | 2 | 2 | 0 | 0 days, 5 hours, 18 minutes and 37 seconds |
| ibruteforce Level 4 | 2 | 2 | 0 | 0 days, 1 hours, 23 minutes and 42 seconds |
| imperialcoder Level 3 | 2 | 2 | 0 | 0 days, 1 hours, 39 minutes and 58 seconds |
| p4tl Level 2 | 2 | 2 | 0 | 0 days, 4 hours, 49 minutes and 11 seconds |
| jpdev Level 3 | 1 | 1 | 0 | 0 days, 2 hours, 1 minutes and 16 seconds |
| moonlighter Level 3 | 1 | 1 | 0 | 0 days, 2 hours, 3 minutes and 8 seconds |
| nish0ck Level 7 |
1 | 1 | 0 | 0 days, 11 hours, 50 minutes and 27 seconds |
| kortisa Level 2 | 1 | 1 | 0 | 0 days, 6 hours, 9 minutes and 7 seconds |
| totobarjo Level 2 | 1 | 1 | 0 | 1 days, 10 hours, 12 minutes and 14 seconds |
| rahat Level 2 | 1 | 1 | 0 | 0 days, 0 hours, 51 minutes and 35 seconds |
| giuseppe Level 2 | 1 | 1 | 0 | 0 days, 10 hours, 39 minutes and 56 seconds |
| panya Level 7 |
1 | 1 | 0 | 0 days, 12 hours, 3 minutes and 6 seconds |