Jan 18
Private Resources Leaks
It’s disconcerting how much is available on the Internet. For example, finding staging and dev environments is something that could be easily found using Google and other services. Obviously not every company has misconfigured their servers, but my recent interest in this area made me feel it’s quite common.
If I choose a company and take its domain, I can type into Google:
site:example.comand see what it returns.
In many instances, it returns a lot of links, so it’s a good idea to filter out the results:
site:example.com -site:www.example.comThis can bring up a more reasonable number of results. But let’s say there is a blog subdomain, that might return a lot of results as well, so let’s get rid of it:
site:example.com -site:www.example.com -site:blog.example.comAt this point, I often get a few interesting results such as:
- dev.example.com
- staging.example.com
- example-dev.azurewebsites.net
- example-fe-128.staging.example.cz
- startup.linux-dev.example.cz
- project-api.example.com
- kibana.example.cz
- testing.example.com
- testproject-api-v2.example.com
- etc.
If Google does not find much, I can also go to SecurityTrails and try to search for a particular domain. That can retrieve a number of interesting results that are accessible from the Internet as well.
In my recent research, I found some private resources publicly available on the Internet nearly every time I looked up some company. I’ve tried about 20 in total.
You might say this is not a big trouble. Well, it all depends on your threat model. If someone wants to harm a company, this would likely be a starting point. Figuring out what the company uses, what the different sites are, and what technologies the company uses is a key information that could be miused.
That brings me to default pages and error pages. Many times they include concrete versions of technologies. An example could be:
Ok, I did not get through, but I know what OS and Apache version the site uses. I can perhaps use it to target these concrete technologies.
Paying attention to what resources are leaked to the internet is important. Do not let everybody access private environments and resources. As a tester, this is usually not your main focus, but I still recommend having a look, it might be that you’ll be the only one who has ever done it.
