The "TMI" Endpoint: Why Unauthenticated Health Checks Are a Hacker's Best Friend (And Why I Got 0…

It wasn't an RCE. It wasn't an SQLi. It was a simple JSON response that told me exactly which version of Java to attack. Here is the story…

Zer0Figure

~4 min read · January 28, 2026 (Updated: January 28, 2026) · Free: Yes

It wasn't an RCE. It wasn't an SQLi. It was a simple JSON response that told me exactly which version of Java to attack. Here is the story of an "Informational" finding that would be critical in a real Red Team operation.

Introduction: The Breadcrumbs of War

In the Bug Bounty world, we are conditioned to hunt for the "Big Boom" — the Remote Code Execution (RCE) that takes over a server, or the Broken Access Control (BAC) that leaks user data.

But before the boom, there is Reconnaissance.

Reconnaissance is the art of gathering intelligence. If I am an attacker, I don't want to throw 1,000 random exploits at a firewall; I want to throw one specific exploit that I know will work. To do that, I need to know the target's technology stack down to the decimal point.

Recently, I found an endpoint on a major government portal (RedactedGov.gov) that did exactly that. It didn't ask for a password. It didn't check if I was an admin. It just happily handed over its Exact Java Build Version and internal file paths.

This report was marked as Informational (P5) — meaning no money. But in this article, I want to explain why these "boring" bugs are actually the breadcrumbs that lead to critical findings.

Phase 1: The Discovery (Fuzzing the API)

I was testing the API of a submission portal. The application was modern, using JWT (JSON Web Tokens) for almost every request. If I tried to access /api/submissions/create or /api/profile, I was immediately blocked with a 401 Unauthorized.

Secure, right?

I decided to look for "Infrastructure" endpoints — URLs that developers use to check if the server is alive. These are often forgotten during security hardening because they "don't contain user data."

I ran a directory brute-force tool (like Ffuf or Dirbuster) against the API base URL.

The Scan: GET /api/submissions/converter/health

The Expectation: 401 Unauthorized OR {"status": "UP"}

The Reality: 200 OK

Phase 2: The Leak (What Did I Find?)

The server didn't just tell me it was "UP." It gave me a full biography.

The Request:

GET /api/submissions/converter/health HTTP/1.1
Host: api.redactedgov.gov
Accept: application/json

The Response (Redacted):

{
  "implementationVersion": "2025.12.16.01-RELEASE",
  "status": "OK",
  "javaVersion": "jdk-17.0.17+10",
  "pcfClose": "2025-12-31 - 20:00:00 EST",
  "validationFile": "testCpcPlusValidationFile.json"
}

At first glance, this looks boring. But let's put on our "Black Hat" glasses and analyze this data.

1. The Java Version (`jdk-17.0.17+10`)

This is the Holy Grail of Fingerprinting. If I know you are running JDK 17.0.17, I can go to the CVE database and look for vulnerabilities that were patched in 17.0.18.

Scenario: If a new Java Deserialization vulnerability drops tomorrow for versions < 17.0.19, I don't need to guess if you are vulnerable. I know you are. I can launch a precise exploit that bypasses generic WAF rules because it is tailored to your exact environment

2. The Implementation Version (`2025.12.16.01`)

This reveals the Deployment Cycle. The date 2025.12.16 tells me exactly when this code was pushed.

Insight: If I see a date from 2023, I know this is an abandoned "Zombie" server that likely hasn't been patched for years. It tells me to focus my energy here.

3. The Validation File (`testCpcPlusValidationFile.json`)

This leaks Internal Naming Conventions. It tells me the system uses JSON files for validation and gives me a potential filename to fuzz for. Can I download this file? Can I upload a file with a similar name to overwrite it? It opens new attack surfaces.

Phase 3: The Verdict (Informational vs. Critical)

I submitted the report, arguing that this facilitates Technology Fingerprinting.

The Response:

Status: Informational (P5) "This issue lacks a demonstrated risk and is considered a security best practice recommendation."

Was the Triage Team wrong? Technically, no. In Bug Bounty, you are paid for Impact. Knowing the Java version is not the same as hacking the server. It is useful information, but it is not an exploit.

However, in a Penetration Test or a Red Team Engagement, this would be a valid finding rated Low/Medium. It violates the principle of "Defense in Depth" (Security by Obscurity).

Phase 4: Why You Should Still Care (The "Chain" Theory)

If you are a beginner hunter, don't be discouraged by "Informational" findings. You should look at this finding as Step 1 of a Chain.

Step 1 (The P5): You find the Java Version (jdk-17.0.17).
Step 2 (The Research): You search for CVEs affecting that version. You find a library vulnerability (like Log4Shell or Spring4Shell).
Step 3 (The P1): You use that specific CVE to achieve Remote Code Execution.

Without Step 1, Step 3 is much harder (you're shooting in the dark).

Lessons Learned

Check the /health: Always check for health, status, or info endpoints (/actuator/info, /healthz, /api/status). Developers leave them open for load balancers, forgetting they leak data.
Information is Power: Even if you don't get paid for it, note it down. Knowing the backend technology (Java vs. Node.js vs. Python) changes how you test for other bugs.
Escalate the Impact: If I could have found a CVE specific to jdk-17.0.17 and demonstrated a PoC using it, this report would have instantly jumped from P5 to P1.

Final Score:

Bounty: $0.
Knowledge: Detailed map of the target's backend.
Status: Informational, but invaluable.

Keep hunting! Sometimes the quietest endpoints tell the loudest secrets.

#bug-bounty #bug-bounty-tips #bug-bounty-writeup #cybersecurity #security