Server Side Misconfigurartion - A Funny Fix

Summary :

I would like to enlighten you guys about my recent finding. It was my luck that I by mistakenly clicked the Reload button on a 404 page and got an information disclosure. The vulnerability is resolved properly now.

I was recently reading the Hackerone Hacktivity page and saw a published report (https://hackerone.com/reports/981796) which was related to information disclosure on one of the subdomain of hey.com and the endpoint was https://gopher.hey.com/metrics. While reading the report the steps to reproduce the issue was mentioned, so I thought of reproducing the issue and at first it gave me 404 not found error but when I clicked on reload button I got the access to the endpoint again. The issue was resolved in the above mentioned report but due to improper fix it was reproducible again.

When I tried to reproduce the issue using curl command (curl https://gopher.hey.com/metrics) it gave me 404 every time but when I visited the web with the same URL the 1st thing was 404 and then after clicking reload button the information was disclosed. The information was related to garbage collection cycle.

Previously deployed fix :

Previous Fix

How I found this vulnerability ?

  1. I went to https://gopher.hey.com/metrics and got 404 error
404 Not Found

2. Then I clicked on reload and got the information disclosure

Garbage Collection Cycle - 1
Garbage Collection Cycle - 2
Garbage Collection Cycle - 3

Impact :

In this type of vulnerabilities the impact completely depends upon what kind of information is getting leaked. In my case the severity was low but if the information is related to PII then the severity could be high to critical.

Mitigation :

When the fix is deployed it should be tested properly with all the ways of how it can be reproduced.

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|