FirstBlood-#160 — Hackerback event attendees information disclosed through /attendees/event.php
This issue was discovered on FirstBlood v1
On 2021-05-10, 0xblackbird Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi! I found a little privacy issue on /attendees/event.php. It discloses information about the attendees of the (previous) Hackerback event.
Steps to reproduce
- Visit
/attendees/event.php?q={ID} (Example: ID = 560720) and intercept the request.
- Send this request to Repeater
- Manually add the following required request header:
X-SITE-REQ: permitted and make the request.
- In the response, you'll get a lot of information about that event.
Impact
Information is disclosed and can be viewed unauthorised. The ID can also be bruteforced since it's not a big number, only 6 digits.
Kind regards,
0xblackbird
P1 CRITICAL
Endpoint: /attendees/event.php
Parameter: q
Payload: {ID}
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.