[EN] Public Exposure of Internal API Models (.smd)

Censorship Note: All data (domains, paths, URIs, service names, and Java classes) have been strictly anonymized using entirely fictional nomenclature (e.g., internal-dashboard.corp.net). This report documents intelligence-gathering mechanics on a JSON-RPC framework within a simulated environment to guarantee 100% privacy for the affected infrastructure.

This writeup details an Information Disclosure (CWE-200) vulnerability that allowed viewing the source code and complete domain model mapping of a corporate backend.

Through the public exposure of .smd (Service Mapping Description) files, an unauthenticated remote attacker could successfully map out over 17,000 internal methods, database queries, and Java class hierarchies, providing a perfect treasure map to escalate attacks.

Vulnerability Analysis

The target utilized a legacy JSON-RPC framework (similar to WaveMaker) that automatically documents backend services so the frontend knows how to communicate with them. This documentation is generated through .smd files.

Unfortunately, the server's security configurations failed to restrict direct access to these static descriptors. Simple dorking on search engines or directory scanning with paths like /api/services/ revealed the existence of these files on the production server.

The Payload (PoC) and Data Dump

No complex interactive exploitation was required, just knowledge of the paths and sending pure GET requests:

GET /api/services/authService.smd.json?rand=1.111 HTTP/1.1
Host: internal-dashboard.corp.net

By downloading the exposed files (such as authService.smd, databaseDB.smd, FileHandlingNode.smd, etc.), massive JSON structures were obtained, containing all the company's operational intelligence.

Below is a small, representative snippet of what was extracted from a database .smd file: