FirstBlood-#101Invite codes do not expire after use
This issue was discovered on FirstBlood v1

On 2021-05-10, jpdev Level 3 reported:

Summary

It is possible to reuse invite codes to register multiple accounts on to the system. However reusing the Invite code deletes the previous account to use the code

Request

POST /register.php HTTP/1.1
Host: firstbloodhackers.com:49335
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Origin: http://firstbloodhackers.com:49335
DNT: 1
Connection: close
Referer: http://firstbloodhackers.com:49335/register.php
Cookie: drps=d3caedab3f141960c4064dc80; doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
Upgrade-Insecure-Requests: 1

action=register&username=jpdev&inviteCode=F16CA47250E445888824A9E63AE445CE

F16CA47250E445888824A9E63AE445CE

Impact

The impact here is that you lose control of who is accessing the system once the invite code is out in the wild. At this point you are giving someone a foothold into your system .. another layer of the onion per se

Remediation

Amend the invite system to have one use codes that expire after a time period has passed. This means that codes will expire once used or if enough time has elapsed causing it to expire.

P2 High

Endpoint: /register.php

Parameter: inviteCode

Payload: F16CA47250E445888824A9E63AE445CE

FirstBlood ID: 15
Vulnerability Type: Auth issues

A doctors invite code is leaked on the internet which if used grants anyone access to the doctor portal. The invite code should expire after use.