# Unlocking Dunzo's Internal Dashboard

**Hello Everyone!**

This write-up is about **Dunzo's Sensitive Information Disclosure** Vulnerability.

The vulnerability could have allowed an attacker to access the internal monitoring dashboard of [**Dunzo**](https://www.dunzo.com/order)**.**

#### Subdomain Enumeration:

I started with subdomain enumeration. For subdomain enumeration, I used [**crt.sh**](http://crt.sh/)**.**

#### **What is crt.sh:**

It’s a web interface. that lets you search for certs that have been logged by CT.

In this case, I got only a few subdomains. So I manually checked each subdomain. If you found a large number of subdomains you can use the [**Httpx**](https://github.com/projectdiscovery/httpx) tool from project discovery.

One of those domains I can access the internal dashboard without authentication. Here I got the `internal IP` and `production server logs` .

**POC of my findings**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708364712510/08ca7216-1c5e-4693-9f7c-9d1be4addb08.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708364725028/98d7baf9-3d70-45d4-a51d-7e4cdf8a962c.png align="center")

**Report Timeline:**

* Mon, 11 Jan 2021  - Reported to Dunzo Security Team.
    
* Mon, 11 Jan 2021 - Immediately got a response from the team
    
* Tue, 12 Jan 2021 - Issue Fixed
    
* Tue, 12 Jan 2021  - Re-tested and confirmed the fix
    
* Tue, 12 Jan 2021  - Got an Appreciation from the Dunzo Team
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708192809302/1d3a1b46-60dd-464f-8c8b-8047b64d8e70.png align="center")
