How We Were Able to Fetch Internal Server Resources
Written by Snir Aviv on
How We Were Able to Fetch Internal Server Resources
Written by Snir Aviv on
Introduction
During a penetration test conducted on a web application, a critical finding was discovered, allowing access to private Git repositories which led to further data exposure of highly sensitive files. The web application permits authentication for doctors and patients and consists of sensitive medical information.
How we Found the Critical Finding
Step 1: Initial Access to the Web Application
We accessed the web application and evaluated the logic by reviewing the client-side code and performing basic functionalities. Then, we noticed a certain directory being used repeatedly in the application called docs. However, at first glance, it did not return any interesting information besides an HTTP 200 OK response code.
Step 2: Fuzzing
Continuing the test, we have decided to focus on the previous directory and perform a fuzz using a known wordlist that can be easily found on the internet. While doing so, we encountered various Git directories that were publicly accessible. For example, a Git configuration file that returned global variables and included a complete URL of an interesting repository:
Step 3: Putting All Together and Exploit
This repository could be easily cloned, which seemed to contain server-side code after a quick investigation inside. In addition, we have found resources consist of sensitive data about users and admins of the application, including IDs, email addresses, phone numbers as well as credentials in clear text:
Mitigation
Clear Gate advised blocking access to the exposed sensitive files from the Internet. After implementing the solution, Clear Gate confirmed it was applied correctly and that the risk no longer applies.