Investigation Reveals Potential Vulnerability in Web API
/ 3 min read
Quick take - The article discusses a cybersecurity investigation where various tools were used to uncover hidden URLs and analyze a web application, leading to the discovery of an API with potential security vulnerabilities, which the author ultimately reported after extensive testing and exploration.
Fast Facts
- The article discusses the growing interest in cybersecurity tools for retrieving hidden URLs and analyzing web applications, highlighting tools like gau and waybackurls.
- An investigation revealed an API capable of generating PDFs from a GET parameter, leading to the discovery of a validation bypass.
- The API was hosted on an AWS EC2 instance, and multiple IP addresses suggested a complex backend infrastructure.
- Attempts to extract metadata from generated PDFs were mostly unsuccessful, but some requests returned AWS metadata, indicating a potential security vulnerability.
- The author reported the identified vulnerability after a six-hour investigation, which included scanning for open ports and exploring internal domains.
Analyzing Web Applications: A Cybersecurity Investigation
Tools for URL Retrieval
The use of various tools to retrieve hidden URLs and analyze web applications is a growing area of interest in cybersecurity. Tools like gau and waybackurls have proven effective in obtaining URLs, providing a foundation for deeper analysis. In a recent investigation, an author utilized these tools to examine a specific website.
Discovery of API Vulnerabilities
During this analysis, an API was discovered that could generate PDF documents based on a provided GET parameter. Initial attempts to read local files through this API were unsuccessful, prompting the author to experiment with different URLs in the API parameter. Through this experimentation, a validation bypass was discovered, allowing the generation of a PDF containing references to Google.
Further testing involved submitting a collaborator’s URL to the API, revealing that the API was hosted on an AWS EC2 instance. Throughout the investigation, multiple IP addresses were observed, suggesting a potentially complex backend infrastructure. Attempts to extract metadata from the generated PDF returned a blank page, and when a domain inaccessible to the server was used, an internal server error occurred, showcasing the API’s limitations under certain conditions.
After multiple requests, some servers responded with a 200 status, indicating successful communication and returning AWS metadata. The discovery of AWS metadata raised the possibility of a security vulnerability, leading the author to consider reporting the issue based on this metadata analysis.
Conclusion and Next Steps
Curiosity about the internal network led to further exploration; however, no actions were taken on the EC2 instance due to its production status. During the scanning process, internal domains were identified but ultimately deemed not useful. An attempt to scan localhost for open ports revealed port 3000, typically associated with Node.js applications. This scanning effort resulted in a denial of service, prompting the author to halt all scanning activities.
Realizing the potential implications of the identified vulnerability, the author reported it. The entire investigative process spanned over six hours, illustrating the complexity and depth of the analysis conducted. The article concludes with a note of gratitude to readers for their engagement.
Original Source: Read the Full Article Here
