0xblackbird has reached Level 4 with 75+ unique vulnerabilities discovered and they have proven to us that they understand web application vulnerabilities and how to discover them. If you run a bug bounty/vulnerability disclosure program and you are looking for an active, professional researcher, we recommend considering this user

0xblackbird

Rank #46 — Level 5

100
unique bugs discovered
131 hours, 28 minutes and 26 seconds active hacking time

108
reports accepted
97 Accuracy

Vulnerability Types Found

Bug Submissions & total bug count

Hackevent (FirstBlood) Activity

Below you can find disclosed reports from our Hackevents which are events we host for our members to win rewards. You can find more information here.

Report Title	Event ID	Severity	Vulnerability Type
[COLLAB] 1 Click XSS can lead to Admin Account Takeover	FirstBlood v1	CRITICAL	`Auth issues`
It is possible to view patient's data as a new doctor	FirstBlood v1	CRITICAL	`Application/Business Logic`
Open redirect on /drpanel/logout.php	FirstBlood v1	Low	`Open Redirect`
Leaked invite ID allows anyone to register for an account.	FirstBlood v1	High	`Auth issues`
Creating a new user with same username overrides old password which can lead to account takeover	FirstBlood v1	High	`Auth issues`
Reflected xss on login.php	FirstBlood v1	Medium	`Reflective XSS`
Reflected XSS on register.php	FirstBlood v1	Medium	`Reflective XSS`
Reflected xss on register.php	FirstBlood v1	Medium	`Reflective XSS`
Unauthenticated access to PII data on /drpanel/drapi/qp.php	FirstBlood v1	CRITICAL	`Auth issues`
Hackerback event attendees information disclosed through /attendees/event.php	FirstBlood v1	CRITICAL	`Information leak/disclosure`
Adding cookie to the request allows us to modify way more data then allowed	FirstBlood v1	High	`Application/Business Logic`
New doctors are able to view patient's private data through /drpanel/drapi/qp.php	FirstBlood v1	CRITICAL	`Application/Business Logic`
GUUID is replaceable by an 8 digit number which makes it vulnerable to IDOR	FirstBlood v1	High	`Insecure direct object reference`
Stored XSS on /drpanel/drapi/query.php	FirstBlood v1	High	`Stored XSS`
Reflected xss on login.php leads to account takeover	FirstBlood v1	Medium	`Reflective XSS`
Stored XSS on yourappointments.php can lead to account takeover	FirstBlood v1	High	`Stored XSS`
Reflected XSS on /login.php via goto parameter leads to account takeover	FirstBlood v2	Medium	`Reflective XSS`
Endpoint allows unauthorized users to update other user's passwords	FirstBlood v2	CRITICAL	`Application/Business Logic`
Default credentials allow any unauthorized user to get access to a doctor account	FirstBlood v2	Medium	`Auth issues`
DOM-based XSS on /login.php via the goto parameter	FirstBlood v2	Medium	`Reflective XSS`
Open redirect on /login.php via the goto parameter	FirstBlood v2	Medium	`Reflective XSS`
Reflected XSS on /register.php via the ref parameter	FirstBlood v2	Medium	`Reflective XSS`
Stored XSS on /drpanel/index.php by cancelling an appointment	FirstBlood v2	High	`Stored XSS`
Stored XSS on /manageappointment.php can lead to account takeover	FirstBlood v2	High	`Stored XSS`
Appointment data can still be modified when upon adding a cookie	FirstBlood v2	Medium	`Application/Business Logic`
New doctors can easily get access to patients private data	FirstBlood v2	Medium	`Application/Business Logic`
Remote Code Execution via insecure deserialization on /api/checkproof.php	FirstBlood v2	CRITICAL	`Deserialization`
Open redirect on logout.php	FirstBlood v2	Low	`Open Redirect`
Endpoint discloses information about all vaccination proof records	FirstBlood v2	CRITICAL	`Information leak/disclosure`
editpassword.php allows anyone to edit any user's passwords	FirstBlood v3	CRITICAL	`Auth issues`
DOM-based XSS on /about.html can lead to account takeover	FirstBlood v3	Medium	`Reflective XSS`
Reflected XSS on /edit-doctor.php	FirstBlood v3	Medium	`Reflective XSS`
DOM-based XSS on /book-appointment.html can lead to account takeover	FirstBlood v3	Medium	`Reflective XSS`
Reflected XSS on /doctors.php	FirstBlood v3	Medium	`Reflective XSS`
Default credentials admin:admin work on login.php	FirstBlood v3	CRITICAL	`Auth issues`
Open redirect on logout remained unpatched	FirstBlood v3	Low	`Open Redirect`
Username enumeration through editpassword.php	FirstBlood v3	Informative
CSRF bypass on edit-dr.php	FirstBlood v3	Low	`Cross Site Request Forgery`
No CSRF protection on editpassword.php	FirstBlood v3	Informative
Unauthenticated Stored XSS on ambulances.php can lead to account takeover (of doctors)	FirstBlood v3	High	`Stored XSS`
Stored XSS on drpanel after joining hackerback can lead to account takeover	FirstBlood v3	CRITICAL	`Stored XSS`
Stored XSS on manageappointment.php after selecting a doctor	FirstBlood v3	High	`Stored XSS`
Stored XSS on /meet_drs.php due to unfiltered doctor's name	FirstBlood v3	High	`Stored XSS`
Stored XSS on doctors.php	FirstBlood v3	High	`Stored XSS`
It is possible to book an appointment with an unavailable doctor	FirstBlood v3	Low	`Application/Business Logic`
2nd Reflected XSS on edit-doctor.php (different injection point + payload)	FirstBlood v3	Medium	`Reflective XSS`
Doctors can change doctor's profile photo	FirstBlood v3	Low	`Application/Business Logic`
Stored XSS on /meet_drs.php can lead to full account takeover	FirstBlood v3	High	`Stored XSS`
It is possible to bypass relative URL by using triple forward slashes on photoURL and load external images	FirstBlood v3	Low	`Application/Business Logic`
PII of doctors leaked through /api/doctors.php	FirstBlood v3	High	`Information leak/disclosure`
Private office locations disclosed on /api/locations.php	FirstBlood v3	High	`Access control`
Stored XSS through doctor tagline on meet_drs.php	FirstBlood v3	High	`Stored XSS`
Blind Stored XSS on admin panel can lead to SSRF	FirstBlood v3	CRITICAL	`Stored XSS`
Stored XSS on about.php's doctor of the month field	FirstBlood v3	High	`Stored XSS`
Stored XSS on about.php through doctor of the profile photo	FirstBlood v3	High	`Stored XSS`
It is still possible to edit some data of a confirmed & cancelled appointment	FirstBlood v3	Low	`Application/Business Logic`
Appointment UUIDs leaked through new ambulances API endpoint	FirstBlood v3	High	`Information leak/disclosure`

BugBountyHunter