Using P3 Bug to escalate other P4 to P3

What is Sensitive Data Exposure?

Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, Email-id, session tokens, credit card data to private health data and more can be exposed.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as

This site was built to provide 6 Different Courses. The site has N number of features one of them was, making a comment.

Work flow

Enroll your self in one of the course

that will Unlock a new section having the following options view course, discussion and your-progress.

Under the discussion section you can make your comment. Okay so whenever you make a comment

http request

POST /api/rest/v2/online-courses/COURSE-ID/comments/564 HTTP/1.1


As mentioned above while making a request it makes a rest API call with the POST method.

so I captured that request forwarded to Repeater and modified request from POST –> GET to see the response

Modified request

GET /api/rest/v2/online-courses/COURSE-ID/comments/564 HTTP/1.1

And to it displayed all details of my account in JSON format example: name, phone-no, Email-id, Image link, and so on. Sensitive data exposed but is was displaying my data only so I tried removing the parameter after comment

Modified request

GET /api/rest/v2/online-courses/COURSE-ID/comments/ HTTP/1.1

Now I have all the details of every single person that enrolled for that particular course.

Reported and accepted as P3

On the same site, I have reported Exif-data which is not automated manual enumeration and comes under P4.

What is EXIF-DATA?

EXIF is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. Almost all new digital cameras use the EXIF annotation, storing information on the image such as shutter speed, exposure compensation, F-number, what metering system was used, if a flash was used, ISO number, date and time the image was taken, white-balance, auxiliary lenses that were used and resolution. Some images may even store GPS information so you can easily see where the images were taken.

Since manual enumeration was under P4 lets escalate it to P3 automatic enumeration

from the above BUG I collected all the data in a text file and with the help of Cut command in Linux, I captured all the Image links and with the help of wget collected all images and hence automated enumeration.

Reported and accepted as P3

Leave a Reply

Your email address will not be published. Required fields are marked *