Server Side Misconfigurartion - A Funny Fix

Image for post
Image for post

Summary :

I would like to enlighten you guys about my recent finding. It was my luck that I by mistakenly clicked the Reload button on a 404 page and got an information disclosure. The vulnerability is resolved properly now.

Image for post
Image for post

I was recently reading the Hackerone Hacktivity page and saw a published report (https://hackerone.com/reports/981796) which was related to information disclosure on one of the subdomain of hey.com and the endpoint was https://gopher.hey.com/metrics. While reading the report the steps to reproduce the issue was mentioned, so I thought of reproducing the issue and at first it gave me 404 not found error but when I clicked on reload button I got the access to the endpoint again. The issue was resolved in the above mentioned report but due to improper fix it was reproducible again.

When I tried to reproduce the issue using curl command (curl https://gopher.hey.com/metrics) it gave me 404 every time but when I visited the web with the same URL the 1st thing was 404 and then after clicking reload button the information was disclosed. The information was related to garbage collection cycle.

Previously deployed fix :

Image for post
Image for post
Previous Fix

How I found this vulnerability ?

Image for post
Image for post
404 Not Found

2. Then I clicked on reload and got the information disclosure

Image for post
Image for post
Garbage Collection Cycle - 1
Image for post
Image for post
Garbage Collection Cycle - 2
Image for post
Image for post
Garbage Collection Cycle - 3

Impact :

In this type of vulnerabilities the impact completely depends upon what kind of information is getting leaked. In my case the severity was low but if the information is related to PII then the severity could be high to critical.

Mitigation :

When the fix is deployed it should be tested properly with all the ways of how it can be reproduced.

Image for post
Image for post

Written by

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store