Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
[β] Exposed Prometheus Metrics Endpoint
See original GitHub issueβ Challenge idea
Description
Modern services often expose metrics about the current state of the service / server on a /metrics endpoint. This endpoint is then scraped by systems like prometheus to gather these metrics over time.
These metrics endpoint is not really intended for βnormalβ users. Yet prometheus security model explicitly states that is is expected that untrusted users should be able to access the metrics data, see https://prometheus.io/docs/operating/security/#prometheus. In the security review performed by the CNCF this was mentioned but later decided to ignore as expected behavior by prometheus team. (See https://prometheus.io/assets/downloads/2018-06-11--cure53_security_audit.pdf PRM-01-002: Clients leak Metrics data thought unprotected endpoints)
Normal setups try not to expose approaches include routing the /metrics endpoint to a 404 page via a loadbalancer / reverse proxy sitting in front of the application. Or protect the endpoint using http basic auth.
The Juice Shop could have its own /metrics endpoint exposing Juice Shop related metrics to the instance, obviously exposed via any auth / protection.
- Orders completed
- Juices sold
- Users signed up
- Challenges solved
Adding this challenge would also mean that one could use prometheus / grafana to monitor all their Juice Shop instances π
Adding such metrics would also be relatively easy using: https://github.com/siimon/prom-client
Underlying vulnerability/ies
I donβt think there is a CVE or anything open for it.
In OWASP Top 10 terms would probably be a βSecurity Misconfigurationβ or βSensitive Data Exposureβ Challenge.
Expected difficulty
| βοΈ / β | Difficulty |
|---|---|
| βοΈ | β |
| βοΈ | ββ |
| β | βββ |
| β | ββββ |
| β | βββββ |
| β | ββββββ |
Possible attack flow
- Open Browser.
- Open
/metricsendpoint. - Profit of all the juicy information π
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:9 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Great job, @Scar26! Thank you! Please send me an email with your address so I can send you a couple of stickers!
This thread has been automatically locked because it has not had recent activity after it was closed. π Please open a new issue for regressions or related bugs.