FirstBlood-#174[Two Tales of Info leak] Site setting can be accessed and leaked a "x-site-req" header. This header can be used to get HackerBack event attendees info.



On 2021-05-11, bobbylin reported:

The Two Tales of Information Leakage :

  • In the doctor panel, we can see that there is a sitesettings value in the JS code.

  • Try appending with some common file extensions: js, txt, yml, config, php, html, etc. Only the php shows some response.

  • If we navigate to /drpanel/drapi/sitesettings.php endpoint, it will return a response that shows a HTTP header: {"site":"firstblood","process":"eventhandler","x-required":[{"x-site-req":"permitted"},{"type":"request"}],"active":true}

  • In the HackerBack event page, there is another info leak on the "attendees of the event" endpoint.

  • The event endpoint will return blank with response 200. So we know that this endpoint exists.
  • If we tried adding the "x-site-req" endpoint, we can retrieve event information. But this event id (/attendees/event.php?q=560720) does not return sensitive PII. However, it leaked out the old event id "560700".

  • The old event id will leak PII information of the attendees such as number, email, last_4_CC and contact number.

P1 CRITICAL

Parameter:

Payload:


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 2000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.