Name: Exposed Metrics
Description: Find the endpoint that serves usage data to be scraped by a popular monitoring system.
Difficulty: 1 star
Category: Sensitive Data Exposure
Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html
Prometheus documentation: https://prometheus.io/docs/introduction/first_steps
RTFM is the fastest route to solving this. The expanded description provides both the name of the monitoring system and a link to its documentation. It will likely take less than 30 seconds of scanning to find the default link, and maybe another 5-10 to type it into the address bar. In all likelihood, your fist guess would probably be right: http://localhost:3000/metrics
Prevention and mitigation strategies:
Don’t allow users to access use metrics. Changing the link to something less generic (and non-default) along with restricting access to whitelisted IP addresses will provide reasonable protection. If you really want to obfuscate this link, you could even encode a password and use that as the link.
Lessons Learned and Things Worth Mentioning:
- Nothing, really. Always remember that Juice Shop is intentionally insecure. Default links and easily guessable answers should be somewhat expected at the 1 star level.