From ed01a5aeabe16fa8644e43e01f1e404b5380ae26 Mon Sep 17 00:00:00 2001 From: geeknik <466878+geeknik@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:47:36 -0500 Subject: [PATCH 1/3] Update config-json.yaml Much needed update. --- http/exposures/configs/config-json.yaml | 168 +++++++++++++++++++++--- 1 file changed, 153 insertions(+), 15 deletions(-) diff --git a/http/exposures/configs/config-json.yaml b/http/exposures/configs/config-json.yaml index e31686011d1..22be0c4453e 100644 --- a/http/exposures/configs/config-json.yaml +++ b/http/exposures/configs/config-json.yaml @@ -1,47 +1,185 @@ id: config-json info: - name: Configuration File - Detect + name: Exposed JSON Configuration Files author: geeknik - severity: medium - description: Multiple configuration files were detected. + severity: critical + description: | + Detects exposed JSON configuration files containing sensitive information including API keys, + access tokens, AWS credentials, database configs, base URLs, file paths, and application settings. + These files often contain production configurations and credentials that should not be publicly accessible. classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - cvss-score: 5.3 + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 cwe-id: CWE-200 metadata: - verified: true - max-request: 4 + max-request: 50 github-query: filename:config.json tags: config,exposure,files http: - method: GET path: - - "{{BaseURL}}/config/default.json" + # Root level configs - "{{BaseURL}}/config.json" + - "{{BaseURL}}/configuration.json" + - "{{BaseURL}}/settings.json" + - "{{BaseURL}}/configs.json" + - "{{BaseURL}}/conf.json" + - "{{BaseURL}}/app.config.json" + - "{{BaseURL}}/application.json" + + # Environment specific configs + - "{{BaseURL}}/config.prod.json" + - "{{BaseURL}}/config.production.json" + - "{{BaseURL}}/config.dev.json" + - "{{BaseURL}}/config.development.json" + - "{{BaseURL}}/config.staging.json" + - "{{BaseURL}}/config.test.json" + - "{{BaseURL}}/config.local.json" + + # Common config paths - "{{BaseURL}}/config/config.json" + - "{{BaseURL}}/config/default.json" + - "{{BaseURL}}/config/prod.json" + - "{{BaseURL}}/config/production.json" + - "{{BaseURL}}/config/development.json" + - "{{BaseURL}}/config/app.json" + + # Application specific paths + - "{{BaseURL}}/app/config.json" + - "{{BaseURL}}/src/config.json" + - "{{BaseURL}}/assets/config.json" + - "{{BaseURL}}/static/config.json" + - "{{BaseURL}}/public/config.json" + - "{{BaseURL}}/dist/config.json" + - "{{BaseURL}}/js/config.json" + + # API configs + - "{{BaseURL}}/api/config.json" + - "{{BaseURL}}/api/v1/config.json" + - "{{BaseURL}}/api/v2/config.json" + - "{{BaseURL}}/apiconfig.json" + + # Framework specific + - "{{BaseURL}}/angular/config.json" + - "{{BaseURL}}/react/config.json" + - "{{BaseURL}}/vue/config.json" + + # Credentials & secrets - "{{BaseURL}}/credentials/config.json" + - "{{BaseURL}}/secrets/config.json" + - "{{BaseURL}}/secret/config.json" + - "{{BaseURL}}/keys/config.json" + - "{{BaseURL}}/auth/config.json" + + # AWS related + - "{{BaseURL}}/aws/config.json" + - "{{BaseURL}}/aws/credentials.json" + - "{{BaseURL}}/cloud/config.json" + - "{{BaseURL}}/s3/config.json" + + # Database configs + - "{{BaseURL}}/db/config.json" + - "{{BaseURL}}/database/config.json" + - "{{BaseURL}}/mysql/config.json" + - "{{BaseURL}}/postgres/config.json" + - "{{BaseURL}}/mongodb/config.json" stop-at-first-match: true - + matchers-condition: and matchers: - type: word + part: header words: - - '"api_keys":' - - '"aws":' - - '"server":' + - "application/json" + - "text/json" + - "text/plain" condition: or - + - type: word part: header words: - "text/html" + - "text/php" + condition: or negative: true - + - type: status status: - 200 + + - type: regex + part: body + regex: + - '(?i)(\"(api_key|apikey|token|secret|password|passwd|pwd|auth|access_key|secret_key)\":\s*\"[^\"]{8,}\")' + - '(?i)(\"(aws|azure|gcp|google|slack|github|twitter|facebook)\":\s*\{)' + - '(?i)(\"(host|endpoint|url|uri|connection|server)\":\s*\"[^\"]+\")' + - '(?i)(\"(username|user|uid|login)\":\s*\"[^\"]+\")' + - '(?i)(\"(db|database|mongo|mysql|postgresql|redis)\":\s*\{)' + - '(?i)"production":\s*(true|false)' + - '(?i)"baseUrl":\s*"[^"]+"' + - '(?i)"(accessCode|recaptchaSiteKey|tokenExpire)":\s*"[^"]+"' + - '(?i)"(fileUrl|loginAppUrl|aimBaseUrl)":\s*"[^"]+"' + condition: or + + extractors: + # Original extractors + - type: regex + name: api_credentials + regex: + - '\"(api_key|apikey|token|secret|auth)\":\s*\"([^\"]{8,})\"' + - '\"access_token\":\s*\"([^\"]{8,})\"' + - '\"authorization\":\s*\"([^\"]{8,})\"' + + - type: regex + name: aws_credentials + regex: + - '\"aws_access_key_id\":\s*\"([^\"]{20,})\"' + - '\"aws_secret_access_key\":\s*\"([^\"]{20,})\"' + - '\"aws_session_token\":\s*\"([^\"]{20,})\"' + + - type: regex + name: database_credentials + regex: + - '\"(db_password|database_password|mysql_password|postgresql_password|mongo_password)\":\s*\"([^\"]{8,})\"' + - '\"(connection_string|connection_url|database_url)\":\s*\"([^\"]+)\"' + + - type: regex + name: endpoints + regex: + - '\"(url|endpoint|uri|host|server)\":\s*\"(https?://[^\"]+)\"' + - '\"(webhook|callback)\":\s*\"(https?://[^\"]+)\"' + + # New specific extractors + - type: regex + name: base_urls + regex: + - '"baseUrl":\s*"(https?://[^"]+)"' + - '"baseURL":\s*"(https?://[^"]+)"' + - '"fileUrl":\s*"(https?://[^"]+)"' + - '"loginAppUrl":\s*"(https?://[^"]+)"' + - '"aimBaseUrl":\s*"(https?://[^"]+)"' + + - type: regex + name: access_codes + regex: + - '"accessCode":\s*"([A-Za-z0-9+/=]{40,})"' + - '"recaptchaSiteKey":\s*"([A-Za-z0-9_-]{40,})"' + + - type: regex + name: token_config + regex: + - '"tokenExpire":\s*(\d+)' + - '"refreshTokenExpire":\s*(\d+)' + + - type: regex + name: environment + regex: + - '"production":\s*(true|false)' -# digest: 4b0a004830460221008f823fffb82579f1df366875cdb5dbdff71072bdc5eb303dd4c66ae44aff2a88022100c5492cc9f4add1c722de527cb47608a221727d77aea871db02be484319e955dd:922c64590222798bb761d5b6d8e72950 + - type: regex + name: sensitive_endpoints + regex: + - 'https?://[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/(?:login|api|admin|dashboard|auth)' From 0a91a52c7b2e18aed7181295cadf0e9f3a7d5b05 Mon Sep 17 00:00:00 2001 From: geeknik <466878+geeknik@users.noreply.github.com> Date: Mon, 28 Oct 2024 10:57:23 -0500 Subject: [PATCH 2/3] Update config-json.yaml add back 2 missing paths --- http/exposures/configs/config-json.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/http/exposures/configs/config-json.yaml b/http/exposures/configs/config-json.yaml index 22be0c4453e..41a09851e95 100644 --- a/http/exposures/configs/config-json.yaml +++ b/http/exposures/configs/config-json.yaml @@ -50,6 +50,8 @@ http: - "{{BaseURL}}/app/config.json" - "{{BaseURL}}/src/config.json" - "{{BaseURL}}/assets/config.json" + - "{{BaseURL}}/assets/config.production.json" + - "{{BaseURL}}/assets/configs.json" - "{{BaseURL}}/static/config.json" - "{{BaseURL}}/public/config.json" - "{{BaseURL}}/dist/config.json" From d5c7d745688d0fc1fbe1256be8d2fa5e981a7712 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 29 Oct 2024 22:10:57 +0530 Subject: [PATCH 3/3] lint fix --- http/exposures/configs/config-json.yaml | 36 ++++++++++++------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/http/exposures/configs/config-json.yaml b/http/exposures/configs/config-json.yaml index 41a09851e95..3e730edd071 100644 --- a/http/exposures/configs/config-json.yaml +++ b/http/exposures/configs/config-json.yaml @@ -28,7 +28,7 @@ http: - "{{BaseURL}}/conf.json" - "{{BaseURL}}/app.config.json" - "{{BaseURL}}/application.json" - + # Environment specific configs - "{{BaseURL}}/config.prod.json" - "{{BaseURL}}/config.production.json" @@ -37,7 +37,7 @@ http: - "{{BaseURL}}/config.staging.json" - "{{BaseURL}}/config.test.json" - "{{BaseURL}}/config.local.json" - + # Common config paths - "{{BaseURL}}/config/config.json" - "{{BaseURL}}/config/default.json" @@ -45,7 +45,7 @@ http: - "{{BaseURL}}/config/production.json" - "{{BaseURL}}/config/development.json" - "{{BaseURL}}/config/app.json" - + # Application specific paths - "{{BaseURL}}/app/config.json" - "{{BaseURL}}/src/config.json" @@ -56,31 +56,31 @@ http: - "{{BaseURL}}/public/config.json" - "{{BaseURL}}/dist/config.json" - "{{BaseURL}}/js/config.json" - + # API configs - "{{BaseURL}}/api/config.json" - "{{BaseURL}}/api/v1/config.json" - "{{BaseURL}}/api/v2/config.json" - "{{BaseURL}}/apiconfig.json" - + # Framework specific - "{{BaseURL}}/angular/config.json" - "{{BaseURL}}/react/config.json" - "{{BaseURL}}/vue/config.json" - + # Credentials & secrets - "{{BaseURL}}/credentials/config.json" - "{{BaseURL}}/secrets/config.json" - "{{BaseURL}}/secret/config.json" - "{{BaseURL}}/keys/config.json" - "{{BaseURL}}/auth/config.json" - + # AWS related - "{{BaseURL}}/aws/config.json" - "{{BaseURL}}/aws/credentials.json" - "{{BaseURL}}/cloud/config.json" - "{{BaseURL}}/s3/config.json" - + # Database configs - "{{BaseURL}}/db/config.json" - "{{BaseURL}}/database/config.json" @@ -89,7 +89,7 @@ http: - "{{BaseURL}}/mongodb/config.json" stop-at-first-match: true - + matchers-condition: and matchers: - type: word @@ -99,7 +99,7 @@ http: - "text/json" - "text/plain" condition: or - + - type: word part: header words: @@ -107,11 +107,11 @@ http: - "text/php" condition: or negative: true - + - type: status status: - 200 - + - type: regex part: body regex: @@ -134,20 +134,20 @@ http: - '\"(api_key|apikey|token|secret|auth)\":\s*\"([^\"]{8,})\"' - '\"access_token\":\s*\"([^\"]{8,})\"' - '\"authorization\":\s*\"([^\"]{8,})\"' - + - type: regex name: aws_credentials regex: - '\"aws_access_key_id\":\s*\"([^\"]{20,})\"' - '\"aws_secret_access_key\":\s*\"([^\"]{20,})\"' - '\"aws_session_token\":\s*\"([^\"]{20,})\"' - + - type: regex name: database_credentials regex: - '\"(db_password|database_password|mysql_password|postgresql_password|mongo_password)\":\s*\"([^\"]{8,})\"' - '\"(connection_string|connection_url|database_url)\":\s*\"([^\"]+)\"' - + - type: regex name: endpoints regex: @@ -163,19 +163,19 @@ http: - '"fileUrl":\s*"(https?://[^"]+)"' - '"loginAppUrl":\s*"(https?://[^"]+)"' - '"aimBaseUrl":\s*"(https?://[^"]+)"' - + - type: regex name: access_codes regex: - '"accessCode":\s*"([A-Za-z0-9+/=]{40,})"' - '"recaptchaSiteKey":\s*"([A-Za-z0-9_-]{40,})"' - + - type: regex name: token_config regex: - '"tokenExpire":\s*(\d+)' - '"refreshTokenExpire":\s*(\d+)' - + - type: regex name: environment regex: