.png)
8 months ago
55 BOOK THIS SPACE FOR AD
ARTICLE ADDuring a recent VAPT engagement on a website, I encountered an intriguing situation. While fuzzing, I received a status code 200 response on the /kubelet endpoint. However, when accessing it, I was met with a 403 error page. Recognizing that kubelet is typically associated with Kubernetes, I attempted various sensitive Kubernetes paths, hoping to uncover something significant. Despite my efforts, none of them proved fruitful.
A few days earlier, I had come across a post mentioning receiving HTTP status 403 on /kubernetes but status 200 on /metrics. This prompted me to explore further. To my delight, accessing the /metrics endpoint revealed logs. Delving deeper into these logs, I stumbled upon an endpoint /api/v1/profile/{username}. This piqued my interest, as it hinted at potential user-related information.
Eager to investigate further, I devised a bash script to extract all usernames associated with this endpoint. Once I had compiled a list of usernames, I created another script to automate CURL requests for each username, capturing the resulting data in JSON format. With each request, I discovered that every username yielded data related to their respective accounts.
Thanks for reading 😊
Bengali (Bangladesh) · 
English (United States) ·