Sensitive information for web applications – hidden directories and files

Sensitive information of web applications-hidden directories and files

0x1, scene

There may be a lot of hidden information in the web application root folder: source code version system folders and files (.git, .gitignore, .svn), project configuration files (.npmrc, package .json, .htaccess), custom configuration files using common extensions such as config.json, config.yml, config.xml and many others.

Resources can be divided into several common categories:

  • Source code version control system
  • IDE (Integrated Development Environment) configuration file
  • Project and/or technology-specific configuration and settings files

1.1, GIT

Git is “(…) a free and open source distributed version control system. A newly created Git repository contains some default folders and files where all the information is stored. A newly created Git repository contains some default folders and File where all the information is stored.

Basic structure of .git folder

Objects can be one of three types: commit, tree, and blob.

Commit is information about the commit, with the current tree (folder and file structure) object hash.

tree contains information about the folder and file structure – each folder or file has its own object hash stored in the tree object.

Blob is a Git object type that saves file content. Knowing the object hash of a specific file, you can use the git cat-file command to read the contents of this file.

1.2, Subversion (SVN)

Subversion (or SVN) is a source code version control system created by the Apache Software Foundation. An example structure of SVN folders and files is as follows:


Basic structure of .svn folder

The key information is the SQLite database wc.db file and the contents of the pristine / directory. The hash value of the relevant file name in pristine/* is stored in wc.db.

http://server/path_to_vulnerable_site/.svn/wc.db

Using the SQLite console client (or any other tool to manage SQLite databases), read the contents of wc.db

$ sqlite3 wc.db
SQLite version 3.8.10.2 2015-05-20 18:17:19
Enter ".help" as a usage tip.
sqlite> .databases
seq name file
--- --------------- -------------------------- ------- --------------------------
0 main /Users/bl4de/hacking/playground/wc.db
sqlite>. dump
PRAGMA foreign_keys = OFF;
Start trading;
CREATE TABLE REPOSITORY(id INTEGER PRIMARY KEY AUTOINCREMENT, root TEXT UNIQUE NOT NULL, uuid TEXT NOT NULL);
INSERT INTO "STORE" VALUE(1,'svn+ssh://192.168.1.4/var/svn-repos/project_wombat','88dcec91-39c3-4b86-8627-702dd82cfa09');

(...)

INSERT INTO "NODES" VALUES(1,'trunk',0,'',1,'trunk',1,'normal',NULL,NULL,'dir',X\ '2829', 'infinity', NULL, NULL, 1,1456055578790922, 'bl4de', NULL, NULL, NULL, NULL);
INSERT INTO "NODES" VALUES(1,'',0,NULL,1,'',1,'normal',NULL,NULL,'dir',X'2829', 'infinity', NULL, NULL, 1, 1456055578790922 'bl4de', NULL, NULL, NULL, NULL);
INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL ,'file', );
INSERT INTO 'NODES' VALUES (1, 'trunk/test2.txt', 0, 'trunk', 1 'trunk/test2.txt', 3, 'normal', NULL, NULL, \ 'File',NULL,NULL,'$$SHA1 6f3fb98418f14f293f7ad55e2cc468ba692b23ce',NULL,3,1456056740296578,'bl4de',27,1456056696 million,NULL,NULL);

(...)

Each one contains the file name and SHA1 hash, corresponding to the entry in the pristine/ folder:

$ ls -lA pristine / 94 /
total 8
-rw-r - r - @ 1 bl4de staff 38 Feb 21 12:05 945a60e68acc693fcb74abadb588aac1a9135f62.svn-base

The entry in the REPOSITORIES table points to the original repository path, that is:

svn + ssh://192.168.1.4/var/svn-repos/project_wombat

1.3, IDE project file

Many IDEs (Integrated Development Environments) used by developers have one thing in common – they save the settings and a lot of additional information for the project in their own files, created separately for each project.

Products of JetBrains (https://www.jetbrains.com/).

JetBrains IDE – IntelliJ IDEA, WebStorm, PHPStorm, RubyMine

Each project developed using JetBrains products will create its own hidden directory .idea /. This directory contains all information about the current project, its files, directories and IDE settings.

Basic structure of the .idea JetBrains folder

workspace.xml contains a lot of useful information that allows enumeration of all files and folders of the application, source version control system information and many other information.

<? xml version="1.0" encoding="UTF-8"? >
(...)
<component name="FileEditorManager">
<leaf>
<file leaf-file-name="README.md" pinned="false "current-in-tab="false">
<entry file="file://$PROJECT_DIR$/README.md">
(...)
</component>
(...)

All nodes =”FileEditorManager” in the component name contain relative paths to all files and project root directories.

Each component node has version system information, as shown in the following example:

<component name="Git.Settings">
    <option name="UPDATE_TYPE" value="MERGE"/>
    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$"/>
  </component>

Information about commits and other tasks performed on the project file, in node component name=”TaskManager”:

(...)
    <task id="LOCAL-00211" summary="Change WebSocket port to 1099">
      <created>1436206418000 </created>
      <option name="number" value="00211"/>
      <option name = “project” value = “LOCAL”/>
      <updated> 1436206418000 </ updated>
    </task>
(...)

Change history, stored in the Component name=”ChangeListManager” node:

<component name="ChangeListManager">
(...)
<change type="DELETED" beforePath="$PROJECT_DIR$/chat/node_modules/socket.io/node_modules/socket.io-adapter/node_modules/debug/Makefile" afterPath=""/>
(...)
</component>

And the component name=”editorHistoryManager” node:

(...)
    <entry file="file://$PROJECT_DIR$/public_html/vendor/angular/angular.js">
      <provider selected="true"editor-type-id="text-editor">
        <state vertical-scroll-proportion="0.0">
          <caret line="3233" column="29" selection-start-line="3233" selection-start-column="29" selection-end-line="3233" selection -end-column="29"/>
        </state>
      </provider>
    </entry>
(...)

If developers have ever used the integrated database manager to manage databases, there is another very interesting file: dataSources.ids, where the database structure can be found, dataSource.xml , dataSources.xml, dataSources.local.xml and dbnavigator.xml contain sample information:

<database>
          <name value="database_name"/>
          <description value=""/>
          <database-type value="MYSQL"/>
          <config-type value="BASIC"/>
          <database-version value="5.7"/>
          <driver-source value="BUILTIN"/>
          <driver-library value=""/>
          <driver value=""/>
          <host value="localhost"/>
          <port value="3306"/>
          <database value="mywebapp"/>
          <url-type value="DATABASE"/>
          <os-authentication value="false"/>
          <empty-password value="false"/>
          <user value="root"/>
          <password value="cm9vdA=="/> <! - Base64 encoded ->
        </database>

Even more, such as dataSources.local.xml:

<? xml version="1.0" encoding="UTF-8"? >
<project version="4">
  <component name="dataSourceStorageLocal">
    <data-source name="MySQL - mywebapp@localhost" uuid="8681098b-fc96-4258-8b4f-bfbd00012e2b">
      <secret-storage>master_key </secret-storage>
      <username>root</user-name>
      <schema-pattern> mywebapp. * </schema-pattern>
      <default-schemas> mywebapp. * </default-schemas>
    </data-source>
  </component>
</project>

Everything depends on the project itself, using IDE plugins (like debugger, source version control or database manager).

NetBeans IDE

NetBeans (https://netbeans.org/) is another very popular free IDE for Java, C/C++, PHP, HTML5 and JavaScript development.

NetBeans creates its own folder in the root folder of the project, containing all project settings -? nbproject / (similar to .idea folder creation dby JetBrains IDE)

project.xml is a file configured in the NetBeans project. You can start from this file to view sensitive points.

Basic structure of the .nbproject folder

1.4, other configuration files

NodeJS/Javascript specific configuration file

Examples are npm configuration files (package.json, package-lock.json), which contain all application dependencies; for JavaScript linters configuration files, such as ESlint or JShint or Bower package manager bower.json and so on.

Example bower.json file, which contains Bower’s configuration and contains a list of packages used in the web application (front-end):

{
  "name": "testapp",
  "version": "2.1.0",
  "authors":[
    "Rafal'bl4de'Janicki <[email protected]>"
  ],
  "description": "test application",
  "main":"index.html",
  "moduleType":[
    "globals"
  ],
  "license":"MIT",
  "dependencies": {
    "angular": "1.4",
    "pure": "~0.5.0",
    "angular-route": "~1.2.26",
    "angular-ui-router": "~0.2.11",
    "angular-bootstrap-datetimepicker":"latest",
    "angular-translate": "~2.6.1"
  },
  "devDependencies":{}
}

Since it is a list of server-side details – used packages such as database connectors, middleware components, etc. – this file may contain a lot of information about potentially vulnerable software.

Example package.json showing possible use of a MySQL database, with some client-server communication via WebSockets:

{
  "name": "Test application server dependencies",
  "version": "1.0.0",
  "author": "bl4de",
  "dependencies": {
    "socket.io": "^1.3.5",
    "mysql":"^2.9.0"
  }
}

.bowerrc, .eslintrc, .jshintrc and other files. Even if they don’t contain very sensitive information, it is possible to find some details about the web application architecture, the libraries and/or frameworks used, or even some valuable information in the comments.

GitLab CI/CD .gitlab-ci.yml configuration file

When a project uses GitLab Continuous Integration (GitLab CI/CD), a very specific vulnerable file exists in the project root folder: .gitlab-ci.yml . This file may contain a lot of very sensitive information: details about the testing and build processes, detailed commands run on each step of such processes and a lot of other critical information.

An example of a .gitlab-ci.yml file can be found here

Ruby on Rails database.yml file

The main database configuration file, containing everything needed to connect to the database: username, password, and other configuration details.

macOS .DS_Store file

One special thing about macOS systems is a file called. .DS_Store. This file is created by the macOS file explorer application Finder and is often mistakenly committed to the source version control repository.

What makes .DS_Store files so useful is that they hold information about the configuration of a Finder window, including the layout of icons that represent the files and folders displayed in a specific Finder window.

If you find the .DS_Store file on your web server, it is possible to find many sensitive information resources.

Basic structure of .DS_Store file

.DS_Store file. We can identify config, LICENSE, loader or package.json files, but also node_modules/, pages/, utils/ and wrappers/ folders – typical structures for NodeJS applications

The main problem with .DS_Store files is that the format is Apple specific and not easily readable, one of the best resources for this format (and a Python library for parsing) is Parsing the .DS_Store File Format by Sebastian Neef .

0x2, tool

Enumeration tools (DirBuster, Dirb, wfuzz, to name a few), dictionaries containing hundreds of thousands of the most popular folder and file names, robots.txt common entries, and more.

Dictionary resources:

https://github.com/danielmiessler/SecLists

https://github.com/danielmiessler/RobotsDisallowed

0x3, reference

https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad

syntaxbug.com © 2021 All Rights Reserved.