In my recent exploration of web applications, I came across a significant security issue that I believe deserves attention. This discovery involved a popular application responsible for managing various user services. While I can't divulge the application's name or specific details, I want to share the insights gained from this experience and detail the steps taken to detect and report this vulnerability.
The Initial Discovery
The journey began when I discovered that the application's .git
directory was exposed.
The .git
directory is a crucial part of any Git version-controlled project, containing key information about the repository's history, branches, and possibly sensitive configuration files.
Using a well-known open-source tool called Git Dumper, I confirmed the exposure and downloaded the application's complete source code to my local environment.
What I Uncovered
After inspecting the downloaded files, I discovered a concerning amount of sensitive information. Notably, I found hardcoded credentials in the docker-compose.yml
file, including passwords for various services used by the application. Storing credentials in this way presents a significant security risk.
Furthermore, a deployment file deployment_production_k8.yml
contained sensitive data, including employee usernames and passwords for Shiprocket and SIMPL Payment Gateway.
With these credentials, access to Shiprocket's API was possible, granting control over various aspects of the application. Specifically, I used the Shiprocket credentials to generate an authentication token via their API.
With the gained access, I could:
Expose Customer PII, Cancel or Modify Customer Orders
Access Financial Information
Mitigation and Recommendations
After identifying the vulnerability, I quickly reported it to the company and suggested actions like restricting access to the .git
directory and securely managing credentials using AWS Secrets Manager or GitHub Secrets.
Conclusion
This experience is a strong reminder of how important it is to secure application source code and data. Even small mistakes like an exposed .git
directory can cause serious security issues if not fixed.
As a token of appreciation for uncovering and reporting this critical issue, I was rewarded $200 by the company, which shows how important it is to report problems responsibly and work together to improve cybersecurity.