Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security.
Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as:
- ffuf
- dirbuster
- gobuster.
During the discussed test, I used the ffuf tool with a basic dictionary available publicly: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt
The command used to discover interesting files was as follows:
Breaking it down:
- ffuf <- invoke the program
- -w ./common.txt <- select the dictionary
- -u https://tested_site.top/FUZZ <- the tested site’s address, where FUZZ is the placeholder for dictionary items
- | tee logs.txt <- display the result on the screen and save it to logs.txt file
While the fuzzer (ffuf) tries to locate interesting files, I will describe the general outline of the application.
It is an application that one can log into through two-factor authentication (sent in text message). The rest of the application’s functionality will not be relevant for the description of the findings.
Let’s see what interesting and accessible things ffuf has found for us. We will perform the command:
This will give us information about files located and accessible from a browser (code 200 = success).
As a result of the command, we will see several lines, among which:
Now that we know which file is on the server, let’s check what it contains by executing the following command:
The result of executing the command:
Among the information located in the .gitignore file, we can identify interesting paths – it is natural for an auditor to review them all. That’s what we did, and one particular path caught our attention – the one highlighted in yellow above.
We called the wget command again to obtain the contents of the file:
We can see a log file of SMS dispatch (redacted):
A potential attacker has thus obtained the phone numbers of individuals with an account in the application and could completely bypass the 2FA by rewriting the code from the file.
Recommendations for the client:
It is recommended to store logs in anonymized form, in a directory outside the web root with restricted permissions. Anonymizing logs ensures that unauthorized persons, upon gaining access, will not have insight into sensitive data. Moreover, moving the file to a web-inaccessible directory along with proper permissions will significantly enhance security.
