Server Side Misconfigurartion - A Funny Fix

Summary :

I would like to enlighten you guys about my recent finding. It was my luck that I by mistakenly clicked the Reload button on a 404 page and got an information disclosure. The vulnerability is resolved properly now.

I was recently reading the Hackerone Hacktivity page and saw a published report (https://hackerone.com/reports/981796) which was related to information disclosure on one of the subdomain of hey.com and the endpoint was https://gopher.hey.com/metrics. While reading the report the steps to reproduce the issue was mentioned, so I thought of reproducing the issue and at first it gave me 404 not found error but when I clicked on reload button I got the access to the endpoint again. The issue was resolved in the above mentioned report but due to improper fix it was reproducible again.

When I tried to reproduce the issue using curl command (curl https://gopher.hey.com/metrics) it gave me 404 every time but when I visited the web with the same URL the 1st thing was 404 and then after clicking reload button the information was disclosed. The information was related to garbage collection cycle.

Previously deployed fix :

Previous Fix

How I found this vulnerability ?

  1. I went to https://gopher.hey.com/metrics and got 404 error
404 Not Found

2. Then I clicked on reload and got the information disclosure

Garbage Collection Cycle - 1
Garbage Collection Cycle - 2
Garbage Collection Cycle - 3

Impact :

In this type of vulnerabilities the impact completely depends upon what kind of information is getting leaked. In my case the severity was low but if the information is related to PII then the severity could be high to critical.

Mitigation :

When the fix is deployed it should be tested properly with all the ways of how it can be reproduced.

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Learn How To Speak Like a Cryptographer

Fusionite Website, new governance, 2 proposals

Bypassing AV Detections: The Dumb Way (Part 1)

GDPR on Trial: first decisions

How we use mmpw1 to leverage more profit with MMP

What happens when you type google.com in your browser and press Enter

Deeper Connect’s Indiegogo Campaign Launch Date is here!

TryHackMe: Brooklyn 99

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

Parameter Pollution - Zero Day

XSS Vulnerability Part 2

Mutation XSS

Writeup: OS command injection, simple case @ PortSwigger Academy