Can you obtain the sensitive information somehow?

Important information

Our challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic. Please practise hacking on our challenges manually.

Failure to abide by the rules will put you at risk of being restricted from using our free challenges.

Can you obtain the sensitive information somehow?

Begin challenge

Easy Misc / Application Logic

We recommend using Firefox for your PoC.

If you visit https://www.bugbountytraining.com/challenges/challenge-15.php then you'll see Not authenticated!.

Visit https://www.bugbountytraining.com/challenges/challenge-15login.php first and then revisit the URL above.

You can see some sensitive information right?

Your task is to somehow leak this information as an attacker when a victim visits your site.

Completed the challenge?

You can browse the intended solution to this challenge below.

Solution

This will only work on Firefox!

First, visit https://www.bugbountytraining.com/challenges/challenge-15login.php to set the auth cookie. This is important.

Next, on https://www.bugbountytraining.com/challenges/challenge-15.php if you try common ways to leak info such as CORS, you'll discover Origin: is trusted but there's no Access-Allow-Credential: true on the response, which is required because of the auth login needed first.

So what can you do?

Think of other common ways you may be able to leak data from a JSON reply. JSONP!.

Even though Allow-Credentials isn't set, it doesn't matter for JSONP when setting it as a script.

Working POC on firefox

<script>
      userinfo = function (data) {
      alert(JSON.stringify(data));
      };  
</script>
<script src="https://www.bugbountytraining.com/challenges/challenge-15.php?jsonp=userinfo" type="text/javascript"></script>

BugBountyHunter

Important information