hackerone.com Open in urlscan Pro
2606:4700:4400::ac40:972a  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content  >

Hacktivity

Opportunities

Directory

Leaderboard

Learn more about HackerOne
Log in


27
#519418
Copy report idCopy report id
Trace.axd page leaks sensitive information
 * Share:
 * 
 * 
 * 
 * 
 * 
 * 

Summary by arinerron2
MenuMenu
See the writeup at https://aaronesau.com/blog/posts/5
Show more
Timeline
arinerron2
submitted a report to U.S. Dept Of Defense.
April 1, 2019, 3:58am UTC
MenuMenu


SUMMARY

Trace.axd leaks sensitive information on ██████████ by allowing signed in users
to view previous requests sent to the webserver.


IMPACT

Information leaked includes (but is not limited to):
 * full names
 * email addresses
 * social security numbers
 * dates of birth
 * plaintext passwords
 * cookies, session tokens, and CSRF tokens
 * IP addresses and headers
 * application specific information (endpoints, files and directories on the
   filesystem, software versions, )


STEP-BY-STEP REPRODUCTION INSTRUCTIONS

 1. Visit https://████████/Gateway/sso.aspx and sign in. Note that any user can
    create a user (and any privilege level works for this vulnerability as long
    as a user is signed in), so this should be considered an unauthenticated
    vulnerability.
 2. Visit https://██████████/████/Trace.axd
 3. Click on View Details for any request that seems interesting. You can find
    social security numbers by visiting any of the /candidate_app/dspstatus.aspx
    pages and then Ctrl+F'ing for app_ssn.


SUGGESTED MITIGATION/REMEDIATION ACTIONS

Disable Trace.axd.
https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/ms972204(v=msdn.10)


IMPACT

Any attacker can potentially access the following information of current or
future Navy personnel:
 * full names
 * email addresses
 * social security numbers
 * dates of birth
 * plaintext passwords
 * cookies, session tokens, and CSRF tokens
 * IP addresses and headers
 * application specific information (endpoints, files and directories on the
   filesystem, software versions, )

Bot:
 posted a comment. 
April 1, 2019, 3:58am UTC
MenuMenu
Greetings from the Department of Defense (DoD),
Thank you for supporting the DoD Vulnerability Disclosure Program (VDP).
By submitting this report, you acknowledge understanding of, and agreement to,
the DoD Vulnerability Disclosure Policy as detailed at @DeptofDefense.
The VDP Team will review your report to ensure compliance with the DoD
Vulnerability Disclosure Policy. If your report is determined to be
out-of-scope, it will be closed without action.
We will attempt to validate in-scope vulnerability reports and may request
additional information from you if necessary. We will forward reports with
validated vulnerabilities to DoD system owners for their action.
Our goal is to provide you with status updates not less than every two weeks
until the reported vulnerability is resolved.
Regards,
The VDP Team
ag3nt-j1
U.S. Dept Of Defense staff
 updated the severity to critical. 
April 1, 2019, 4:29pm UTC
MenuMenu
ag3nt-j1
U.S. Dept Of Defense staff
 changed the status to Triaged. 
April 1, 2019, 4:29pm UTC
MenuMenu
Greetings,
We have validated the vulnerability you reported and are preparing to forward
this report to the affected DoD system owner for resolution.
Thank you for bringing this vulnerability to our attention!
We will endeavor to answer any questions the system owners may have regarding
this report; however, there is a possibility we will need to contact you if they
require more information to resolve the vulnerability.
You will receive another status update after we have confirmed your report has
been resolved by the system owner. If you have any questions, please let me
know.
Thanks again for supporting the DoD Vulnerability Disclosure Program.
Regards,
The VDP Team
ag3nt-j1
U.S. Dept Of Defense staff
 closed the report and changed the status to Resolved. 
April 10, 2019, 7:34pm UTC
MenuMenu
Good news!
The vulnerability you reported has been resolved and this report is now closed.
If you have any further questions or disagree that the report is resolved,
please let us know.
Thank you for your time and effort to improve the security of the DoD
information network.
Regards,
The VDP Team
arinerron2
 requested to disclose this report. 
April 10, 2019, 8:03pm UTC
MenuMenu
Thank you for resolving the issue so quickly! Requesting public disclosure if
that's okay.
agent-1
 posted a comment. 
May 6, 2019, 5:17pm UTC
MenuMenu
@arinerron2 Thank you for your submission on this critical vulnerability! You
have been chosen by our team as a researcher to highlight on our Twitter page
@DC3VDP. Do you have a Twitter handle, name, or URL that you would like us to
use in our post? Please let us know.
arinerron2
 posted a comment. 
Updated May 6, 2019, 7:06pm UTC
MenuMenu
Thank you! And, I have a blog post written and ready for when this report is
disclosed.
Twitter (preferred): @arinerron Name: Aaron E. URL: https://ww.arinerron.com/
arinerron2
 posted a comment. 
July 1, 2019, 10:21pm UTC
MenuMenu
Hi @ag3nt-j1, I'm not sure about the disclosure policy here. Is it possible for
these reports to be publicly disclosed? I noticed that the DoD does disclose
few, although some, reports.
ag3nt-j1
U.S. Dept Of Defense staff
 posted a comment. 
July 2, 2019, 11:31am UTC
MenuMenu
Sure, you'll have to request disclosure on the report. I'll go in and redact any
identifying information that could tie the report to a website and have the
attachments deleted before I disclose the report. I have a backlog of disclosure
request I need to work through so it might take a little bit of time.
ag3nt-j1
U.S. Dept Of Defense staff
 agreed to disclose this report. 
August 19, 2019, 12:21pm UTC
MenuMenu

 This report has been disclosed. 
August 19, 2019, 12:21pm UTC
MenuMenu
arinerron2
 posted a comment. 
August 19, 2019, 4:01pm UTC
MenuMenu
Thank you @ag3nt-j1! I published the writeup here:
https://arinerron.com/blog/posts/5
agent-bk1
 posted a comment. 
August 2, 2021, 5:14pm UTC
MenuMenu
As a previous winner of Researcher of the Month we'd like to ask some questions
to give you a voice in the program. If you have time we'd love your input. Thank
you.
 1. Are you happy with the current point system of DoD VDP (7 points for triage,
    2 points for duplicate)?
 2. Are there any recommendations or suggestions you have for the Researcher of
    the Month tweet?
 3. Are there any items in our policy that should be better defined for
    participants?
 4. As an award winner, would you like to be interviewed and tell the story of
    how you got into Vulnerability Disclosures and Bug Bounties?
 5. Did you use this program to "practice" before moving on to another?
 6. Are you happy with the level of communication you get from the validators?
 7. It's been communicated that the researchers would like educational
    opportunities with regards to the program, what types of opportunities would
    you implement?
 8. What is the one thing you like most about our program?
 9. What is the one thing you like least about our program?



Reported April 1, 2019, 3:58am UTC


arinerron2

Participants


Reported to
U.S. Dept Of Defense

Report Id
#519418
Resolved


--------------------------------------------------------------------------------

Disclosed
August 19, 2019, 12:21pm UTC

Severity
Critical (9 ~ 10)

Weakness
Information Exposure Through Debug Information


--------------------------------------------------------------------------------

Bounty
None


--------------------------------------------------------------------------------

CVE ID
None

Account de...
None


--------------------------------------------------------------------------------


It looks like your JavaScript is disabled. To use HackerOne, enable JavaScript
in your browser and refresh this page.