Critical Security Findings at the University of Cambridge: A Methodology for Detecting Exposed Credentials
How I discovered two critical vulnerabilities that exposed sensitive credentials and led to unauthorized access.
b-ismi-llāhi r-raḥmāni r-raḥīmi — In the name of Allah, The Most Gracious and The Most Merciful.
In 2022, during my security research on the University of Cambridge’s web applications, I discovered two critical vulnerabilities that exposed sensitive credentials and led to unauthorized access. For my responsible disclosure of these security issues, I was honoured with a Letter of Appreciation from the University of Cambridge.
Methodology
To find these vulnerabilities, I used an automated, efficient approach by leveraging publicly available tools and my custom-built tools — FetchAllSrc and JSLeakRecon. Below is a step-by-step breakdown of my methodology:
1. Initial Data Collection Using waymore
The first step in my methodology was to gather all potential files that might contain sensitive information. To do this, I utilized the waymore tool, which collects URLs from various archives like Wayback Machine, Alien Vault, and Common Crawl. The aim was to find files with potentially exposed sensitive information such as JavaScript files, configuration files, and logs.
I ran the following command:
waymore -i cam.ac.uk -mode U -ko "\.(js|env|config|json|yaml|yml|conf|cnf|db|log)(\?|$)" -oU out.txt
This command collects all URLs of interest based on specific file extensions. These file types might contain sensitive configurations data or credentials.
2. Downloading Files Using FetchAllSrc
Once I had a list of potential files that could contain sensitive data, I used my custom tool FetchAllSrc to download all the files locally for further analysis. This step is crucial because it allows offline, systematic analysis of the files using various techniques.
Here is the command I used for FetchAllSrc:
fas -i out.txt -o camjs
This command takes the file list created in the previous step and downloads all the files into a local directory (`camjs`), enabling me to analyze them thoroughly.
3. Running JSLeakRecon for Credential Detection
After downloading all relevant files, I used another custom tool I developed called JSLeakRecon. This tool specializes in scanning JavaScript files and other text-based resources for hardcoded credentials, tokens, and secrets that may have been mistakenly exposed.
The command I used was as follows:
python3 jsleakrecon.py -f /path/to/camjs -o result-camjs.html
JSLeakRecon performed an extensive analysis on the downloaded files and successfully identified several leaks. One such leak was present in a `.json` file containing SCP credentials and the second was a MySQL database credential hardcoded into a `.yml` file. These findings are critical since exposed credentials can be used to gain unauthorized access to sensitive databases and web servers.
Finding 1: SCP Credentials Exposed in a `.json` File
As shown in the screenshot provided, I found exposed SCP (Secure Copy Protocol) credentials in a `.json` file, available via a public URL. The leak included both a username and a password. This is a critical vulnerability, as it provides direct access to the web server’s file system, potentially leading to complete compromise of the web application.
Finding 2: MySQL Database Credentials Exposed in a `.yml` file
In another instance, I discovered exposed MySQL database credentials in a publicly accessible .yml file. These credentials provide access to a MySQL database running on the server, giving an attacker full control over the database, which could lead to data theft or manipulation.
DB_MYSQL_HOST: "***.***.**.**"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "*******"
DB_MYSQL_PASSWORD: "*********"
DB_MYSQL_NAME: "****"
Impact of the Vulnerabilities
The vulnerabilities I identified are extremely critical, as they expose credentials for two essential services: file transfer via SCP and a MySQL database. Any attacker with this information could exploit these services, leading to serious consequences such as:
- Unauthorized access to sensitive data
- Modification or deletion of critical files
- Database manipulation, leading to data breaches
- Service disruptions, possibly affecting the entire application
Resolution and Responsible Disclosure
After discovering these vulnerabilities, I responsibly disclosed them to the security team at the University of Cambridge. Following their internal processes, the vulnerabilities were quickly addressed, and the exposed files were secured. I was honoured to receive a Letter of Appreciation from the university for my efforts in improving their security posture.
This finding underscores the importance of thorough web application security testing, particularly focusing on publicly accessible configuration files and JavaScript files that may contain sensitive information. My custom-built tools, FetchAllSrc and JSLeakRecon, played a pivotal role in streamlining the discovery process. These tools enabled me to efficiently identify and retrieve critical data, leading to the successful detection of sensitive information disclosure vulnerabilities.