Sensitive PII Data Disclosed in JSON Files

Brief Description

This bug was quite simple. The web application for some reason was saving their user information in JSON format under the /assets/ path which contained all kinds of JSON files. Therefore, by doing some fuzzing of different words along with .json extension, information such as username, password, email, addresses, phone, and company role were found in the file users.json.

Reconnaissance Steps

After looking at the analytics of the target, SRTs have reported information disclosure flaws in a vulnerable web server under the /assets/ path among different JSON files. In this case, I thought to FUZZ english words under the /assets/ path with JSON extension by using https://github.com/ffuf/ffuf as the following.

ffuf -c -ac -v -mc all -w raft-large-words.txt -u https://ca.domain.vi/assets/FUZZ.json -t 100

After fuzzing the JSON file user.json was found.

After sending the report, it got accepted along with three stars due to report writing.

Takeaway

Take a look at current paths found in Burpsuite while mapping the web application as also analytics if you’re an SRT. If there is a pattern along with the files, it’s probable that you may be able to find more endpoints with similar flaws.