.png)
8 months ago
43 BOOK THIS SPACE FOR AD
ARTICLE AD
In the name of Allah, the Beneficent, the Merciful
Hi everyone, in this write-up I will tell you about a bug that I found on the redacted.com website that allows attackers to get all the email addresses of instructors by just visiting the courses they create.
This site is a course service provider that allows users to register, log in, buy courses, add to wishlist, view transaction details, and so on.
This vulnerability was discovered when I tried to view course details while intercepting a GET request using Burp, from the response to the request the “email” parameter appeared with the value ”INSTRUCTOR@gmail.com” in the JSON body.
Attackers can obtain all email addresses belonging to instructors with this method.
1. Go to redacted.com
2. Login with your account.
3. Select any course — -> Click “See Details”.
4. Capture the request using a proxy tool like Burp — -> Refresh the page.
5. In Burp — -> Go to the Proxy tab — -> HTTP history — -> Click GET request with the endpoint as below:
GET /api/web-class/slug/COURSE_NAME?lang=en&variantIsActive=true HTTP/1.1
6. Right click — -> Send to Repeater — -> Send — -> You will see the course details with a response of 200 with the parameter “email”:”INSTRUCTOR@gmail.com” in the JSON body as below:
HTTP/1.1 200
{“email”:”INSTRUCTOR@gmail.com”}
2/3/2024 : Send Report
3/4/2024 : Triaged
4/3/2024 : Fixed & asking for reward
Bengali (Bangladesh) · 
English (United States) ·