Usernames ending in .json are not restricted
Unknown
Vulnerability Details
Desciption:
Username in *.json is not restricted.
disallowed *.json is allowed in username restriction
URL : https://gratipay.com/robots.txt
User-agent: *
Disallow: /*.json
Disallow: /on/*
POC URL:
https://gratipay.com/~karthic.json/ and you will end up at my profile page.
Actions
View on HackerOneReport Stats
- Report ID: 161935
- State: Closed
- Substate: informative