Vulnerability Summary
This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
Censorship Note: All data (domains, paths, URIs, service names, and Java classes) have been strictly anonymized using entirely fictional nomenclature (e.g.,
internal-dashboard.corp.net). This report documents intelligence-gathering mechanics on a JSON-RPC framework within a simulated environment to guarantee 100% privacy for the affected infrastructure.
This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.
Through the public exposure of .smd (Service Mapping Description) files, an unauthenticated remote attacker could successfully map out over 17,000 internal methods, database queries, and Java class hierarchies, providing a perfect treasure map to escalate attacks.
The target utilized a legacy JSON-RPC framework (similar to WaveMaker) that automatically documents backend services so the frontend knows how to communicate with them. This documentation is generated through .smd files.
pyus3rA hardcoded backend URL found in a JavaScript bundle exposed an unauthenticated API endpoint that returned 500+ records containing employee full names, enterprise client details, and internal database IDs. The writeup walks through discovering the URL in the JS bundle, querying the API, and the GDPR/business intelligence impact.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3443563 by somerandomdev
pyus3rAn unprotected endpoint allowed the exfiltration, via a simple unauthenticated POST request, of gigabytes of configurations, structural metadata, and private personal/corporate information belonging to the organizations using the software.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In