Not so long time ago I submitted my presentation proposal on CONFidence's Call For Papers. CONFidence is one of the best European IT Sec conference that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-)
This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal and when I received the approval, I visited the conference's website in order to check if I'm included in the speakers list for sure (in SecuRing it's common to prank your colleagues like for instance sending emails from fake server, haha).
I entered the website and found myself, yay!
If you are interested in IT Sec field, numeric parameter in URL probably triggers something in your brain. I have opened Chrome's dev tools immediately and seen XHR request to https://eventory.cc.
Hmm, the ID from XHR's 'Request URL' is the same that we saw earlier. Wouldn't be fun if we can perform little path traversal and reflectively load our speaker?
I have registered in Eventory, created fake conference and made Bob The Builder the main speaker.
Next step was to change the URL from
The result was of course:
Voilà! CTO Bob the Builder included. As you can see in the talks section, description is carefully encoded so it there was no XSS vulnerability. It makes this post title rather clickbait since it's hard to say now that this path traversal is serious vulnerability.
This 'issue' was reported to the CONFidence, they have fixed this and the topic was closed... up to April Fools' Day! When I woke up, I saw tons on messages like 'LOL, check CONFidence's fanpage!'. And I did, haha.
If you have seen this post and you have been thinking like 'funny, but why Bob The Builder?' here is the answer ;-).