Greetings everyone! Today, I'd like to share the story of how I discovered CVE-2021-29115 (an Information Disclosure vulnerability) in a bug bounty program within just a few minutes. For the sake of anonymity, let's refer to the target website as "redacted.com".

To start my exploration, I used a subdomain enumeration tool called Subfinder to identify any subdomains associated with redacted.com.

subfinder -d redacted.com

Once I had compiled a list of subdomains, I chose one subdomain and began content discovery using the ffuf tool. I ran the following command:

ffuf -u https://subdomain.redacted.com/FUZZ -w dicc.txt

As I ran the scan, I stumbled upon an interesting discovery: the endpoint /server was returning a 301 redirect status. Curious about this redirect, I attempted to access the endpoint in my browser, which promptly redirected me to the following endpoint: /server/rest/services.

This piqued my interest, so I began to investigate the /server/rest/services endpoint more closely. Through some experimentation, I was able to find that the endpoint was susceptible to an Information Disclosure vulnerability (CVE-2021-29115), which allowed me to access sensitive information about the application and its environment.

By reporting this vulnerability to the bug bounty program, I was able to earn a HOF for my findings. It just goes to show how a few simple tools and a bit of persistence can lead to a successful bug bounty hunt!


Vulnerability Report:

Description 

An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not disclose features.

Steps To Reproduce:

Navigate to https://Redacted.com/server/rest/services

Supporting Material/References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29115

POC: