This website uses cookies

To provide the highest level of service we use cookies on this site.
Your continued use of the site means that you agree to their use in accordance with our terms and conditions.

Pentest Chronicles

Unveiling hidden data:
a log file's security breach

ROBERT KRUCZEK

November 10, 2023

Unveiling hidden data during 2023 pentest: how a misplaced log file can compromise 2FA security.


Conducting penetration tests requires the use of existing solutions that significantly facilitate the work. For web applications, it is valuable to recognize the structure of directories or find files of interest. For this purpose, we can use applications such as:
• ffuf,
• dirbuster,
• gobuster.

During the discussed test, I used the ffuf tool with a basic dictionary available publicly:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

The command used to discover interesting files was as follows:

Breaking it down:
• ffuf <- invoke the program
• -w ./common.txt <- select the dictionary
• -u https://tested_site.top/FUZZ <- the tested site's address, where FUZZ is the placeholder for dictionary items
• | tee logs.txt <- display the result on the screen and save it to logs.txt file


While the fuzzer (ffuf) tries to locate interesting files, I will describe the general outline of the application.
It is an application that one can log into through two-factor authentication (sent in text message). The rest of the application's functionality will not be relevant for the description of the findings.
Let's see what interesting and accessible things ffuf has found for us. We will perform the command:

This will give us information about files located and accessible from a browser (code 200 = success).

As a result of the command, we will see several lines, among which:


Now that we know which file is on the server, let's check what it contains by executing the following command:


The result of executing the command:


Among the information located in the .gitignore file, we can identify interesting paths – it is natural for an auditor to review them all. That's what we did, and one particular path caught our attention – the one highlighted in yellow above.
We called the wget command again to obtain the contents of the file:


We can see a log file of SMS dispatch (redacted):


A potential attacker has thus obtained the phone numbers of individuals with an account in the application and could completely bypass the 2FA by rewriting the code from the file.

Recommendations for the client:

It is recommended to store logs in anonymized form, in a directory outside the web root with restricted permissions. Anonymizing logs ensures that unauthorized persons, upon gaining access, will not have insight into sensitive data. Moreover, moving the file to a web-inaccessible directory along with proper permissions will significantly enhance security.

#CyberSecurity #InfoSec #2FA #DigitalSafety #PentestChronicles



Next Pentest Chronicles

When Usernames Become Passwords: A Real-World Case Study of Weak Password Practices

Michał WNękowicz

9 June 2023

In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep ...

SOCMINT – or rather OSINT of social media

Tomasz Turba

October 15 2022

SOCMINT is the process of gathering and analyzing the information collected from various social networks, channels and communication groups in order to track down an object, gather as much partial data as possible, and potentially to understand its operation. All this in order to analyze the collected information and to achieve that goal by making …

PyScript – or rather Python in your browser + what can be done with it?

michał bentkowski

10 september 2022

PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …

Any questions?

Happy to get a call or email
and help!

Terms and conditions
© 2023 Securitum. All rights reserved.