Exploit vulnerabilities from front-end information leakage
preface
In the hole digging, than not only the ability to collect assets, more is careful. Often unremarkable front-end files, but always bring unexpected surprises to people.
start
In a vulnerability mining, because I, as always, the dish, even if the liver for a long time, also can not dig a low vulnerability. After a long time there, I decided to turn on the F-12 and console myself.
The only static directory in the debugger (firefox) is the static directory. We all know that 99% of files in the static directory are useless, but I clicked on it on the off chance. When I opened it, I found the familiar Webpack directory lying underneath
PS: Please forgive me for typing the code so thick, a platform government annual test project, if leaked will drink tea
To clarify, what is webpack?
Webpack is a front-end resource loading/packaging tool. It performs static analysis based on module dependencies, and then generates the corresponding static resources from these modules according to the specified rules. Multiple static resources js, CSS, less can be converted into a static file, reducing the page request. Its existence depends on Node.jsCopy the codeIn Baymax’s words, it does the work of other static files from which we can look for sensitive data or interfaces
Excited heart, trembling hands, I began to turn up
The masters’ experience did not deceive me, and I found several API interfaces
The API has more server middleware deployed and less protection than a normal site, so I immediately tested it
Emmmmm looks like a SpringBoot framework.
That’s fine. Pick up the Burp and Spring dictionaries and start fighting right away
Sure enough, god doesn’t work hard
Wuhu, 200 bucks in hand
after
Tasted the sweet head last time, I began my own food and love to play the road
This sub site has a registration function point, after the registration of the login function is also very few, can only upload avatar. The format is very restricted, you can’t get around it, and you upload it, and you upload it to OSS.
The amazing thing is that instead of calling the image resource on OSS directly, the user’s image address is stored. Server access interface, obtain the picture storage address, and then access and load the picture. If I could control the storage address, wouldn’t that make SSRF (which is pretty lame)?
As I turned the page, my eyes fell on a place about the operation of pictures (avatar)
Baseurl is the server address of API. What is groupId?
Look at the JS in other places, just know, each sub-domain name of this domain name, corresponding to an ID, with the ID to know which subsidiary is the corresponding operation
Naturally, the method of obtaining groupId is also obvious
After I got the groupId, I found that I still could not carry out the corresponding operation. When I looked back, IT turned out that ACCESS_token was not carried
Where does access_token come from? I began to rummage around for the papers again, but there was no trace. Just when I want to give up, but found it peacefully lying in my cookie! What’s going on here?
The site has a sign-up function that automatically assigns you an Access_token once you log in
GroupId = access_token = access_token = groupId = access_token = access_token = access_token = access_token
200!
Finally, let’s look at dnslog
The last
I only got 30 bucks, but I was happy
According to the learning outline of network security, I summarized a video tutorial for xiaobai, and 30G network security resources have been uploaded to the document, from easy to difficult, very comprehensive, is still continuing to update ING, the need for children’s shoes can be obtained by themselves.[Network Security Resource collection]
Front-end information is often ignored, and people pay more attention to the back-end, but in the process of penetration testing, both complement each other and are indispensable. Your carefulness and carefulness are often the key to a bright future.