Good day,
While scrolling through your ‘Hacking Community’ forum I had gone to the next page after which I wanted to return to the previous page.
The ‘previous page’ button is linked to ‘hacking/49.json’ which then outputs a json array called ‘users’ with user id’s and a bit more info. here is a sample output:
{“users”:[{“id”:15154,“username”:“Vanacharla_Sampath”,“name”:“Vanacharla Sampath”,“avatar_template”:“/user_avatar/community.parrotsec.org/vanacharla_sampath/{size}/12065_2.png”,“trust_level”:0},
Now this may be partly due to the fact that I run ‘NoScript’ and a few other extensions but I then quickly went to other pages like ‘86’ and append ‘.json’ to the file name and also found the same thing.
I bring this up because in CTFs and Bug Bounty Hunting I have played with, this could lead to information being misused or possible IDORs.
I am by no means an expert but I just found this to be concerning and thought I would share my accidental findings. I love Parrot OS and would not like to see someone misused information like what I had just found.