Greetings everyone! Today, I’d like to share the story of how I discovered CVE-2021-29115 (an Information Disclosure vulnerability) in a bug bounty program within just a few minutes. For the sake of anonymity, let’s refer to the target website as “redacted.com”.
To start my exploration, I used a subdomain enumeration tool called Subfinder to identify any subdomains associated with redacted.com.
subfinder -d redacted.com
Once I had compiled a list of subdomains, I chose one subdomain and began content discovery using the ffuf tool. I ran the following command:
ffuf -u https://subdomain.redacted.com/FUZZ -w dicc.txt
As I ran the scan, I stumbled upon an interesting discovery: the endpoint /server
was returning a 301 redirect status. Curious about this redirect, I attempted to access the endpoint in my browser, which promptly redirected me to the following endpoint: /server/rest/services
.
This piqued my interest, so I began to investigate the /server/rest/services
endpoint more closely. Through some experimentation, I was able to find that the endpoint was susceptible to an Information Disclosure vulnerability (CVE-2021-29115), which allowed me to access sensitive information about the application and its environment.
By reporting this vulnerability to the bug bounty program, I was able to earn a HOF for my findings. It just goes to show how a few simple tools and a bit of persistence can lead to a successful bug bounty hunt!
Vulnerability Report:
Description:
An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not disclose features.
Steps To Reproduce:
Navigate to https://Redacted.com/server/rest/services
Supporting Material/References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29115