FirstBlood-#1607 — Infomation Disclosure about private locations
This issue was discovered on FirstBlood v3
On 2022-12-12, xnl-h4ck3r Level 4 reported:
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles
Summary
There is an information disclosure vulnerability that leaks details of private locations to any user without any need for authentication.
The home page shows that locations are in Chicago and Seattle, but the details of the location should be private unless a user has a confirmed booking.
However, this can be viewed by anyone without having to make a booking.
Steps to Reproduce
-
Go to endpoint /api/locations.php?location=chicago
-
Go to endpoint /api/locations.php?location=seattle
Impact
Data that is intended to be private is available for any user to view.
P2 High
Endpoint: /api/locations.php
Parameter: location
Payload: chicago & seattle
FirstBlood ID: 62
Vulnerability Type: Access_control
The endpoint /api/locations?location= leaks the Seattle and Chicago address despite them being listed as PRIVATE on FirstBloodv3