Reward: $250
Program: Private
Overview of the Vulnerability
Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access.
Business Impact
Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.
Spring Boot Paths are exposing critical information about c4ng4c31r0[.]com such as paths, environment configuration.
Spring Boot paths found:
https://c4ng4c31r0[.]com/api/maintenance/actuator/heapdump
https://c4ng4c31r0[.]com/api/maintenance/actuator
https://c4ng4c31r0[.]com/api/maintenance/actuator/beans
https://c4ng4c31r0[.]com/api/maintenance/actuator/caches
https://c4ng4c31r0[.]com/api/maintenance/actuator/conditions
ttps://c4ng4c31r0[.]com/api/maintenance/actuator/configprops
https://c4ng4c31r0[.]com/api/maintenance/actuator/env
https://c4ng4c31r0[.]com/api/maintenance/actuator/env/home
https://c4ng4c31r0[.]com/api/maintenance/actuator/env/lang
https://c4ng4c31r0[.]com/api/maintenance/actuator/env/language
https://c4ng4c31r0[.]com/api/maintenance/actuator/env/path
https://c4ng4c31r0[.]com/api/maintenance/actuator/env/hostname
https://c4ng4c31r0[.]com/api/maintenance/actuator/features
https://c4ng4c31r0[.]com/api/maintenance/actuator/health
https://c4ng4c31r0[.]com/api/maintenance/actuator/info
https://c4ng4c31r0[.]com/api/maintenance/actuator/mappings
https://c4ng4c31r0[.]com/api/maintenance/actuator/metrics
https://c4ng4c31r0[.]com/api/maintenance/actuator/loggers
https://c4ng4c31r0[.]com/api/maintenance/actuator/scheduledtasks
https://c4ng4c31r0[.]com/api/maintenance/actuator/threaddump
Steps to reproduce:
1 - Use the wordlist [https://github.com/emadshanab/DIR-WORDLISTS/blob/main/spring-boot.txt] to perform a brute force attack on the https://c4ng4c31r0[.]com/api/maintenance/ endpoint.
2 - Note that the heapdump endpoint was identified. When accessing it, an automatic download is performed containing a binary file.
Using visualvm https://visualvm.github.io/, we can read the contents of the file in plain text.
PoC
Using visualvm to decompile and read plain text credentials:
Status/Reward:
Resolved!
Top comments (0)