FirstBlood-#160Hackerback event attendees information disclosed through /attendees/event.php
This issue was discovered on FirstBlood v1.0.0



On 2021-05-10, 0xblackbird Level 5 reported:

Hi! I found a little privacy issue on /attendees/event.php. It discloses information about the attendees of the (previous) Hackerback event.

Steps to reproduce

  • Visit /attendees/event.php?q={ID} (Example: ID = 560720) and intercept the request.
  • Send this request to Repeater
  • Manually add the following required request header: X-SITE-REQ: permitted and make the request.
  • In the response, you'll get a lot of information about that event.

Impact

Information is disclosed and can be viewed unauthorised. The ID can also be bruteforced since it's not a big number, only 6 digits.

Kind regards, 0xblackbird

P1 CRITICAL

Endpoint: /attendees/event.php

Parameter: q

Payload: {ID}


FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.