FirstBlood-#699 — All vaccination proof records leaked
This issue was discovered on FirstBlood v2
On 2021-10-27, buraaq Level 2 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Hello zseano,
Summary
File /vaccination-manager/swagger.yaml can be reached easily by directory brute-forcing. It gets downloaded. Contains the info about another endpoint which gives out the info about Full details for all vaccination proof records which should not be available publicly.
It contains :
ID
Email
Proof
IP of victim
User-Agent
Creation time
Steps to reproduce
- Visit the endpoint
/vaccination-manager/swagger.yaml
- Open
swagger.yaml file. Goto the endpoint mentioned in file /vaccination-manager/api/vax-proof-list.php
- You can see all the record details for all vaccination proof records.
POC
Impact
Sensitive data is accessible publicly
Kind regards,
buraaqsec
P1 CRITICAL
Endpoint: /vaccination-manager/vax-proof-list.php
This report contains multiple vulnerabilities:
FirstBlood ID: 37
Vulnerability Type: Information leak/disclosure
The endpoint /vaccination-manager/api/vax-proof-list.php leaks PII without any authentication. The intended solution was to find it via swagger-ui at /vaccination-manager/api.php
FirstBlood ID: 31
Vulnerability Type: Information leak/disclosure
The endpoint api.php can be found under the vaccination manage portal directory which allows for user interaction and results in PII leak on vax-proof-list.php