How a "harmless" log file turned into cache poisoning and unexpected data exposure
Free Link 🎈
Hey there!😁
😵💫 Life Lesson #1:
You know how you clean your room… but shove all the mess under the bed?
Yeah… companies do that too.
Except their "bed" is /logs/ — and sometimes… they forget to hide it.
😏 Life Lesson #2:
Developers don't delete logs. They just hope nobody finds them.
🧠 Life Lesson #3:
If something is publicly accessible… …it's not "internal" anymore.
🤫 Life Lesson #4:
And if it's indexed? Congratulations — it's now part of your recon.
🎯 The Setup — Boredom + Recon = Chaos
It started like most hunts do.
Late evening. Room quiet. Laptop glowing like it's the only thing that understands you.
- Coffee ☕ (already cold)
- Music playing… but you're not even listening
- Browser tabs slowly multiplying like a bug you forgot to fix
At some point, you stop scrolling social media and think:
"Let me just check one target…"
Yeah… it's never just one.
🔍 Phase 1 — Mass Recon (Where the Magic Starts)
Instead of rushing, I took a step back and mapped the surface.
subfinder -d target.com -all -recursive -o subs.txt
amass enum -passive -d target.com >> subs.txt
httpx -l subs.txt -o live.txtThen filtered the interesting ones:
cat live.txt | grep -E "dev|test|stage|api|internal|admin"One subdomain quietly appeared:
logs-api.target.comNo fireworks. No drama.
Just sitting there like:
"I've been here the whole time."
😅 Random Thought
There's always that one subdomain nobody cares about.
Not monitored. Not secured. Not even remembered.
Kind of like that one friend in a group chat who reads everything… but never replies.
🧪 Phase 2 — Directory Bruteforce
I poked around:
dirsearch -u https://logs-api.target.com/ -e log,txt,json,bak,zipAnd found:
/logs/
/logs/access.log
/logs/error.log
/logs/debug.logNo authentication.
At this point I just smiled.
Because this wasn't going to be a fight… this was going to be a conversation.
📜 Phase 3 — Reading Logs Like a Story
Opened access.log.
At first, it felt like reading someone else's browsing history:
GET /home 200
GET /api/user 200Then suddenly:
GET /api/internal/export?user_id=4821&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...And just like that… the logs started talking.
🧠 Weird Realization
Logs are like diaries.
Except nobody writes them intentionally… and they accidentally reveal way more than they should.
😈 Phase 4 — Replaying the Request
Copied the token. Replayed it.
curl -H "Authorization: Bearer eyJhbGciOi..." \
"https://api.target.com/api/internal/export?user_id=4821"Response came back clean.
Structured. Detailed.
Almost like the system trusted me.
😶 That Moment
You know that feeling when something works… but it shouldn't?
Yeah. That.
🧠 Phase 5 — Thinking Like the System
I paused and asked:
Why does this endpoint even exist?
Answer felt obvious:
👉 Internal dashboard 👉 Export functionality 👉 Probably cached for speed
So I checked headers.
💣 Phase 6 — Cache Behavior
X-Cache: HIT
Via: CDNAnd that tiny detail changed everything.
🧠 Late Night Thought
At 2AM, everything feels like a conspiracy.
But sometimes… it actually is.
🔬 Phase 7 — Testing the Edges
I started nudging the request:
curl -H "X-Forwarded-Host: evil.com" https://api.target.com/api/internal/exportThen:
curl -H "Host: attacker.com" https://api.target.com/api/internal/exportThe response shifted.
Not dramatically. But enough.
😏 That Tiny Change
Sometimes vulnerabilities don't scream.
They whisper.
🧨 Phase 8 — Putting It Together
I crafted a simple request:
GET /api/internal/export HTTP/1.1
Host: api.target.com
X-Forwarded-Host: attacker.comResponse:
"export_url": "https://attacker.com/exports/admin_full_dump.csv"And just like that… the system accepted my version of reality.
😅 Honest Thought
At this point I wasn't even surprised.
Just sitting there like:
"Yeah… that makes sense."
😶 What Happened Next
That response got cached.
Meaning:
Any normal request… would now receive the modified output.
No tricks needed.
🧪 Phase 9 — Going Back to the Logs
I went back and looked again.
Because once logs start leaking… they don't stop.
Found more entries:
POST /api/v1/payment/initiate
Authorization: Bearer <token>At this point, the logs didn't feel like files anymore.
They felt like documentation the developers never meant to publish.
🌑 A Thought That Stuck With Me
Somewhere online, I once read:
"Logs don't just show data. They show intent."
And honestly… that's exactly what this felt like.
🔥 Pattern I Keep Seeing
Across different targets:
- Logs exposing tokens
- Debug files revealing flows
- Internal APIs quietly accessible
Not because of complex bugs…
But because nobody expected anyone to look there.
🧠 Techniques That Always Help
🔍 Look for Logs
dirsearch -e log,txt,json🧪 Search Smarter
site:target.com ext:log🧬 Extract What Matters
grep -i "token\|auth\|key" access.log🧨 Test Behavior, Not Just Endpoints
- Headers
- Cache
- Reflections
🎤 Final Thoughts
That night didn't feel like hacking.
It felt like:
- Reading someone else's notes
- Following breadcrumbs
- And connecting things that weren't supposed to connect
🧠 One Thing I Always Remember
During recon:
👉 The boring stuff matters 👉 The forgotten stuff matters more 👉 And the "internal" stuff… matters the most
Because sometimes…
The system isn't hiding anything. It's just quietly waiting for someone curious enough to notice.
Connect with Me!
- Instagram: @rev_shinchan
- Gmail: rev30102001@gmail.com