Security misconfiguration, but is it enough for a report?

Hi all,

I have just started looking at the public programs after doing a lot of self study.

I have found a subdomain which is protected as you get a 403 when you try to access it.
By altering the request, it seems to bypass this security as I’m able to access the site behind it.

However the site behind this request is a confluence page which asks for a login.
I’m not sure if this is enough to report as a bug?

Obviously the initial protection can be bypassed, which you could label as “Server security misconfiguration”. This might be because they only want this site to be accessible from within their networks or something.

And getting to the login form would allow me to start bruteforcing credentials, I haven’t checked if they have enabled captcha protection as I don’t want to interrupt their user’s work.
There doesn’t seem to be anonymous access to any content, and the version isn’t vulnerable to CVE-2019-3396.

So is this enough to report?
I don’t imagine it to be a high priority but still it would mark my first bug that I found if it’s accepted.

The only next steps I can think of to go further is to find out what makes the security check (if it’s a header that’s required, specific host value, cookie, …) however this will only help me circumvent the initial security but won’t increase the criticality of this in my opinion.

Looking forward to your feedback.

So after thinking it over a bunch I decided that I would like to know if this was an issue in my environment so I submitted a report.

It got accepted as a medium so I guess I shouldn’t doubt myself so much.

First bug reported, check!

Awesome, congratulations! Sounds like a cool bug. How did you bypass the 403? Did you just add a X-Forwarded-For: 127.0.0.1 header? I usually give up instantly when I see the Forbidden error, but this makes me think that I might have been missing out on potential vulnerabilities.

It was more simple than that. For some reason they didn’t block POST requests.

So instead of sending a GET request, I sent a valid POST request with a content length of a random char.

This gave me access to the site, it didn’t load any JS or CSS. I’m guessing because it was still blocking those GET requests.

Navigation was a bit of a pain since I had to manually change every request but in the end no data was exposed, only the login form.

And of course yesterday I thought “where there’s a confluence there’s usually a jira” and sure enough the same issue was there as well. So it’s now become 2 bug reports.

1 Like

I think it’s a good practice to ask those questions you asked in the first message before reporting. Not necessarily to someone else, but to yourself.
Congratulations on your first report!