Kibana: the new toy for pentesters, bughunters & hackers

What is Kibana?

Mar 26, 2019 · 2 min read

Standing with website definition:

Kibana lets you visualize your Elasticsearch data and navigate the Elastic Stack, so you can do anything from learning why you’re getting paged at 2:00 a.m. to understanding the impact rain might have on your quarterly numbers. (or just leave your big data exposed in the wild as a complete noob — ndr)

Image for post
Image for post

Kibana is a very useful tools to interact with all the datas incoming to your Elasticsearch stack. Elastic and elasticsearch are data gathering focused applications which allows the users to use and process those data in a wide range of ways and for many different purposes.

As of today (25 March 2019) search gives a result of 26,833 (!!!) Kibana instances running on the internet (growing of around 35/70 per day during the last weeks). Off course, as any other well programmed web app, you can secure your public Kibana app access with many login methods.
The real and practical issue stands in:

  1. Lack of clear documentation for the medium skilled developer about securing your Kibana instance
  2. A bad security chain practice which result in a secure server infrastructure being compromised by the last node of the security chain (!!!)

First point speak for itself.

About the real issue there: even if your server is super secured and well configured and your Elasticsearch is bound to or localhost or whatever kind of loopback address, an unprotected Kibana app running on top of the elastisearch stack can compromise your server operativity and allow unauthenticated users to access Kibana dashboard (with admin privileges), thus gifting a strong foothold in further privilege escalation attacks to malicious entities.

In my researches I found that also a misconfigured Apache or Nginx reverse proxy which serves a login page on port 80 or 8080 can be easily bypassed and we can connect directly to Kibana app port (5601 by default) if this isn’t properly bound to private access.


Stay safe out there.

If this helped please share a coffee, a beer or some healthy juice with me donating with #bitcoin at 14Q6FnBkwFXchnUd3ddakTPiX29gTqUdaK

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store