Information Disclosure - snoopysecurity/dvws-node GitHub Wiki

Introduction

Information disclosure issues could often leak useful API information such as its underlying technology stack and other information about how the web service has been built. This could be used to conduct further attacks.

Details

Example 1

By sending invalid characters to multiple areas of the web service and its corresponding APIs, it is possible to invoke a stack trace which will disclose useful information.

Example 2

When creating a user, a POST request is sent to the /api/v2/users API with a chosen username and password. The returned response contains the pass

HTTP/1.1 201 Created
X-Powered-By: Express
Access-Control-Allow-Origin: http://dvws.local
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 105
ETag: W/"69-3jcfFNYFYt20Yhfxiql41EQ1Dho"
Date: Sat, 22 Aug 2020 19:28:43 GMT
Connection: close

{"status":201,"user":"foobar2","password":"$2b$10$i80.0h9YCOvVOe6gAngqGuv4NHbvV.KgjBQfbxx0nLqPht0x4.ye2"}

Example 3

/api/v1/info Endpoint reveals sensitive system information

GET /api/v1/info HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZm9vYmFyIiwicGVybWlzc2lvbnMiOlsidXNlcjpyZWFkIiwidXNlcjp3cml0ZSIsInVzZXI6YWRtaW4iXSwiaWF0IjoxNTk4MTg5NDA3LCJleHAiOjE1OTgzNjIyMDcsImlzcyI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbm9vcHlzZWN1cml0eSJ9.9784gQLn2rbCz3W87zs0uxAlyVnQz3r032cpqtU3Yl0
X-Requested-With: XMLHttpRequest
Connection: close

HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Credentials: true
Content-Type: application/json; charset=utf-8
Content-Length: 16534
ETag: W/"4096-cCijf4QMNX7dM1LLBNZrbj8pa7A"
Date: Sun, 31 Oct 2021 22:33:27 GMT
Connection: close

{"title":"/usr/bin/node","version":"v13.14.0","versions":{"node":"13.14.0","v8":"7.9.317.25-node.32","uv":"1.37.0","zlib":"1.2.11","brotli":"1.0.7","ares":"1.16.0","modules":"79","nghttp2":"1.40.0","napi":"6","llhttp":"2.0.4","openssl":"1.1.1g","cldr":"36.1","icu":"66.1","tz":"2019c","unicode":"13.0"

Example 4

Security headers reveal that Express is in use.

POST /api/v2/login HTTP/1.1
Host: dvws.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://dvws.local
Connection: close
Referer: http://dvws.local/

usernamsse=test&password=test

HTTP/1.1 404 Not Found
X-Powered-By: Express
Access-Control-Allow-Origin: http://dvws.local
Vary: Origin
Access-Control-Allow-Credentials: true
Cache-Control: no-store, no-cache, must-revalidate, private
Content-Type: application/json; charset=utf-8
Content-Length: 64
ETag: W/"40-LER+Mb8UUHc4ATql91WLmweM2Pw"
Date: Sun, 31 Oct 2021 22:31:11 GMT
Connection: close

X-Powered-By: Express