pichik

Rank #50 Level 4



99
unique bugs discovered
320 hours, 44 minutes and 15 seconds active hacking time

84
reports accepted
100 Accuracy
Vulnerability Types Found

Bug Submissions & total bug count

Hackevent (FirstBlood) Activity

Report Title Event ID Severity Vulnerability Type
Editing other users appointments with IDOR FirstBlood v1 High Insecure direct object reference
IDOR in aptid which grants access to every appointment FirstBlood v1 High Insecure direct object reference
Info leak on reddit leads to create acc with admin privileges FirstBlood v1 High Auth issues
Reflected XSS on register page FirstBlood v1 Medium Reflective XSS
Reflected XSS FirstBlood v3 Medium Reflective XSS
Modifying appointment FirstBlood v3 Low Application/Business Logic
Leakage of all users assigned to ambulances FirstBlood v3 High Information leak/disclosure
Admin account takeover with editpassword FirstBlood v3 CRITICAL Auth issues
Stored XSS to account takeover of doctors FirstBlood v3 CRITICAL Stored XSS
ATO with stored XSS in doctor name FirstBlood v3 High Stored XSS
Edit doctor details with CSRF FirstBlood v3 Low Cross Site Request Forgery
Appointment leakage FirstBlood v3 Medium Application/Business Logic
Storred XSS with photo in /about endpoint FirstBlood v3 High Stored XSS
redirect_url vulnerable to XSS and Open redirect FirstBlood v3 Medium Reflective XSS
Leakage of doctors PII FirstBlood v3 High Information leak/disclosure
Anyone can edit doctors FirstBlood v3 High Access control
Anyone can edit ambulances FirstBlood v3 High Stored XSS
Stored XSS in ambulance driver FirstBlood v3 High Stored XSS
Doctor params vulnerable to stored XSS FirstBlood v3 High Access control
Blind XSS in appointments FirstBlood v3 CRITICAL Stored XSS
Stored XSS with tagline FirstBlood v3 High Access control