avatarMRunal

Summary

The website content details the discovery and exploitation of security vulnerabilities, specifically the exposure of error logs through a debug URL and the presence of WS_FTP logs, which can reveal sensitive information about a web application's structure and files.

Abstract

The author recounts their experience during a security assessment where they stumbled upon a debug URL on xyz.com that was leaking error logs. Despite initial unsuccessful attempts at exploiting common vulnerabilities like XSS, the author eventually accessed the error logs by directly requesting /errors/errors.log. Furthermore, the author uncovered a WS_FTP log file, which by default records all file transfers and could contain valuable information for an attacker, including hidden administrative or maintenance files. After some trial and error, the author located the WS_FTP log file at /admin/WS_FTP.LOG. The write-up emphasizes the importance of securing such log files to prevent attackers from easily gathering information about a web application's architecture and potentially sensitive files. Recommendations are provided for both developers and security operations to mitigate these risks, such as restricting access to important files, removing WS_FTP log files from servers, and configuring WS_FTP to avoid creating log files.

Opinions

  • The author believes that finding error logs through debug information and WS_FTP logs can significantly aid an attacker in reconnaissance efforts.
  • They suggest that even seemingly benign information, such as file transfer logs, can be a goldmine for attackers.
  • The author emphasizes the importance of web application server administrators taking proactive steps to secure their applications against such vulnerabilities.
  • They recommend deviating from standard naming conventions for hidden directories to make it more difficult for attackers to guess their locations.
  • The author implies that many security issues can be mitigated by following basic security practices, such as restricting access and removing sensitive information from public access.
  • They encourage readers to engage with the content by clapping if they find it useful and following "Infosec Write-ups" for more related articles.

When I found error logs through debug information(cgi scripts) and ws-ftp log

During the assessment, I have found the debug URL on xyz.com which is disclosing the error logs..

sorry i can’t disclose website name …

lets start…

when i start to recon and try to find bugs on this program .

i tried many things like xss,idor,nd etc….(nothing spot)

when i try to find xss .. then most of the time i got error (xyz.com/errors)

after one day i tried some diff payloads and many thing but nothing works.

anything i tried (random xss payload) it was always redirect one page(xyz.com/errors)

then after few hours i try this

GET /errors/errors.log HTTP/1.1

then….

Photo by Jordane Mathieu on Unsplash
did you see this

next time you got some errors and you redirect some errors page please try /errors.log also. may be your one step increase your bank balance.

lets move forward ….

then i try explore this web and i found some WS_FTP regarding good stuff.

first lets take about WS_FTP

A serious WS_FTP vulnerability was identified within your web application. WS_FTP is a popular FTP client for Windows which is utilized by system administrators and developers to upload and download files from web servers, with each transfer notated in a log file by default. Risks associated with an attacker discovering a WS-FTP log file result from the fact that files that should remain hidden, such as administrative or maintenance applications, web application configuration files, or application data files, may then be visible. Recommendations include removing the WS_FTP log file from the application server and configuring WS_FTP so that it does not create log files.

When WS_FTP is used to transfer files, a log file called ‘ws_ftp.log’ is created on the server. This log file contains records of every file that is accessed by WS_FTP, which could possibly contain very valuable information to an attacker because it may list files that are otherwise “hidden.” This often includes administrative or maintenance applications, web application configuration files, applications-in-development, backed-up application source code and possible application data files.

Primarily, WS_FTP log files are valuable to attackers because they display all files in a directory, not just ones that are intended to be used. How easy is it for an attacker to take advantage of an insecure web application via the discovery of a WS_FTP log file on your web application server? Often, this is as simple as typing in the name of the file garnered directly from the WS_FTP log files. In essence, gaining access to a WS_TP log file greatly reduces the amount of effort a potential attacker must employ to gain knowledge of your web application.

A fundamental necessity for a successful attack upon your web application is reconnaissance. An attacker will employ a variety of methods, including malicious scanning agents and Google searches, to find out as much information about your web application as possible. That information can then be utilized when the attacker is formulating his next method of attack. An attacker who finds a WS_FTP log files has had a large portion of his reconnaissance conducted for him

I tried GET /WS_FTP.LOG HTTP/1.1 but i got some error…

again i say your one step change many things (after 30 min spends and do some same thing) i got this..

GET /admin/WS_FTP.LOG HTTP/1.1

For Development: Unless you are actively involved with implementing the web application server, there is not a wide range of available solutions to prevent problems that can occur from an attacker finding a WS_FTP log file. Primarily, this problem will be resolved by the web application server administrator. However, there are certain actions you can take that will help to secure your web application.

  • Restrict access to important files or directories only to those who actually need it.
  • Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not reveal the locations of directories best left confidential.

For Security Operations: There are two primary actions to take to eliminate the risk of a WS_FTP log file vulnerability.

  • Manually remove the WS_FTP log file from the application server.
  • Configure WS_FTP so that it does not create log files on servers.

One of the most important aspects of web application security is to restrict access to important files or directories only to those individuals who actually need to access them. Ensure that the private architectural structure of your web application is not exposed to anyone who wishes to view it as even seemingly innocuous directories can provide important information to a potential attacker.

The following recommendations can help to ensure that you are not unintentionally allowing access to either information that could be utilized in conducting an attack or propriety data stored in publicly accessible directories.

  • Ensure that files containing sensitive information are not left publicly accessible, or that comments left inside files do not reveal the locations of directories best left confidential.
  • Restrict access to important files or directories only to those who actually need it.
  • Don’t follow standard naming procedures for hidden directories. For example, don’t create a hidden directory called “cgi” that contains cgi scripts. Obvious directory names are just that…readily guessed by an attacker.

Remember, the harder you make it for an attacker to access information about your web application, the more likely it is that he will simply find an easier target.

If you like it please clap.

Follow Infosec Write-ups for more such awesome write-ups.

Cybersecurity
Infosec
Bug Bounty
Programming
Technology
Recommended from ReadMedium
avatar#IbrahimXSS
Discovering a CRLF Injection Vulnerability: My Journey into the MSRC Blog Website

The Beginning

4 min read
avatarHamza Avvan
4 XSSs With A Simple & Optimized Payload

Check out how I earned $1250 by bypassing WAF in Steal User Information — Chaining XSS & Http Parameter Pollution using an amazing…

3 min read
avatarsecureITmania
S3 bucket enumeration simplified.

A web-based tool to scan the S3 bucket misconfiguration.

3 min read
avatarElNiak
Mastering Server-Side Template Injection (SSTI): A Comprehensive Guide for Pentesters

Safeguarding Web Applications from Template Injection Threats: A Developer’s Guide to Security Best Practices

14 min read
avatarAli Rem
New 100$ Bug in My Methodology!

Hello everyone! I’m Rem and I’m 23 years old. I’m here to describe my new bug. This bug is very amazing to me and I think some people might…

3 min read
avatarbrutexploiter
IDOR + Account Takeover: How I Secured Personal Information (PII) of 5.17M Electricity Consumers

This blog discusses the discovery of 2 critical vulnerabilities at APDCL, exposing personal data of 5.17M electricity consumers.

6 min read