FirstBlood-#1632 — Information disclosure
This issue was discovered on FirstBlood v3
On 2022-12-12, srb1mal Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello sean,
Summary -
I found an info disclosure on /api/locations.php endpoint with location parameter.
Steps to reproduce -
- Visit https://057253f90d39-srb1mal.a.firstbloodhackers.com/api/locations.php?location=chicago & it says it leaked some kind of private data which i don't know where to use.
POC -
Thanks & Regards,
srb1mal
P2 High
Endpoint: /api/locations.php
Parameter: location
Payload: chicago
FirstBlood ID: 62
Vulnerability Type: Access_control
The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3