projectdiscovery · geeknik · Oct 28, 2024 · Oct 28, 2024 · Oct 29, 2024
diff --git a/http/exposures/configs/config-json.yaml b/http/exposures/configs/config-json.yaml
@@ -1,47 +1,187 @@
 id: config-json
 
 info:
-  name: Configuration File - Detect
+  name: Exposed JSON Configuration Files
   author: geeknik
-  severity: medium
-  description: Multiple configuration files were detected.
+  severity: critical
+  description: |
+    Detects exposed JSON configuration files containing sensitive information including API keys,
+    access tokens, AWS credentials, database configs, base URLs, file paths, and application settings.
+    These files often contain production configurations and credentials that should not be publicly accessible.
   classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
-    cvss-score: 5.3
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 10.0
     cwe-id: CWE-200
   metadata:
-    verified: true
-    max-request: 4
+    max-request: 50
     github-query: filename:config.json
   tags: config,exposure,files
 
 http:
   - method: GET
     path:
-      - "{{BaseURL}}/config/default.json"
+      # Root level configs
       - "{{BaseURL}}/config.json"
+      - "{{BaseURL}}/configuration.json"
+      - "{{BaseURL}}/settings.json"
+      - "{{BaseURL}}/configs.json"
+      - "{{BaseURL}}/conf.json"
+      - "{{BaseURL}}/app.config.json"
+      - "{{BaseURL}}/application.json"
+
+      # Environment specific configs
+      - "{{BaseURL}}/config.prod.json"
+      - "{{BaseURL}}/config.production.json"
+      - "{{BaseURL}}/config.dev.json"
+      - "{{BaseURL}}/config.development.json"
+      - "{{BaseURL}}/config.staging.json"
+      - "{{BaseURL}}/config.test.json"
+      - "{{BaseURL}}/config.local.json"
+
+      # Common config paths
       - "{{BaseURL}}/config/config.json"
+      - "{{BaseURL}}/config/default.json"
+      - "{{BaseURL}}/config/prod.json"
+      - "{{BaseURL}}/config/production.json"
+      - "{{BaseURL}}/config/development.json"
+      - "{{BaseURL}}/config/app.json"
+
+      # Application specific paths
+      - "{{BaseURL}}/app/config.json"
+      - "{{BaseURL}}/src/config.json"
+      - "{{BaseURL}}/assets/config.json"
+      - "{{BaseURL}}/assets/config.production.json"
+      - "{{BaseURL}}/assets/configs.json"
+      - "{{BaseURL}}/static/config.json"
+      - "{{BaseURL}}/public/config.json"
+      - "{{BaseURL}}/dist/config.json"
+      - "{{BaseURL}}/js/config.json"
+
+      # API configs
+      - "{{BaseURL}}/api/config.json"
+      - "{{BaseURL}}/api/v1/config.json"
+      - "{{BaseURL}}/api/v2/config.json"
+      - "{{BaseURL}}/apiconfig.json"
+
+      # Framework specific
+      - "{{BaseURL}}/angular/config.json"
+      - "{{BaseURL}}/react/config.json"
+      - "{{BaseURL}}/vue/config.json"
+
+      # Credentials & secrets
       - "{{BaseURL}}/credentials/config.json"
+      - "{{BaseURL}}/secrets/config.json"
+      - "{{BaseURL}}/secret/config.json"
+      - "{{BaseURL}}/keys/config.json"
+      - "{{BaseURL}}/auth/config.json"
+
+      # AWS related
+      - "{{BaseURL}}/aws/config.json"
+      - "{{BaseURL}}/aws/credentials.json"
+      - "{{BaseURL}}/cloud/config.json"
+      - "{{BaseURL}}/s3/config.json"
+
+      # Database configs
+      - "{{BaseURL}}/db/config.json"
+      - "{{BaseURL}}/database/config.json"
+      - "{{BaseURL}}/mysql/config.json"
+      - "{{BaseURL}}/postgres/config.json"
+      - "{{BaseURL}}/mongodb/config.json"
 
     stop-at-first-match: true
 
     matchers-condition: and
     matchers:
       - type: word
+        part: header
         words:
-          - '"api_keys":'
-          - '"aws":'
-          - '"server":'
+          - "application/json"
+          - "text/json"
+          - "text/plain"
         condition: or
 
       - type: word
         part: header
         words:
           - "text/html"
+          - "text/php"
+        condition: or
         negative: true
 
       - type: status
         status:
           - 200
 
-# digest: 4b0a004830460221008f823fffb82579f1df366875cdb5dbdff71072bdc5eb303dd4c66ae44aff2a88022100c5492cc9f4add1c722de527cb47608a221727d77aea871db02be484319e955dd:922c64590222798bb761d5b6d8e72950
+      - type: regex
+        part: body
+        regex:
+          - '(?i)(\"(api_key|apikey|token|secret|password|passwd|pwd|auth|access_key|secret_key)\":\s*\"[^\"]{8,}\")'
+          - '(?i)(\"(aws|azure|gcp|google|slack|github|twitter|facebook)\":\s*\{)'
+          - '(?i)(\"(host|endpoint|url|uri|connection|server)\":\s*\"[^\"]+\")'
+          - '(?i)(\"(username|user|uid|login)\":\s*\"[^\"]+\")'
+          - '(?i)(\"(db|database|mongo|mysql|postgresql|redis)\":\s*\{)'
+          - '(?i)"production":\s*(true|false)'
+          - '(?i)"baseUrl":\s*"[^"]+"'
+          - '(?i)"(accessCode|recaptchaSiteKey|tokenExpire)":\s*"[^"]+"'
+          - '(?i)"(fileUrl|loginAppUrl|aimBaseUrl)":\s*"[^"]+"'
+        condition: or
+
+    extractors:
+      # Original extractors
+      - type: regex
+        name: api_credentials
+        regex:
+          - '\"(api_key|apikey|token|secret|auth)\":\s*\"([^\"]{8,})\"'
+          - '\"access_token\":\s*\"([^\"]{8,})\"'
+          - '\"authorization\":\s*\"([^\"]{8,})\"'
+
+      - type: regex
+        name: aws_credentials
+        regex:
+          - '\"aws_access_key_id\":\s*\"([^\"]{20,})\"'
+          - '\"aws_secret_access_key\":\s*\"([^\"]{20,})\"'
+          - '\"aws_session_token\":\s*\"([^\"]{20,})\"'
+
+      - type: regex
+        name: database_credentials
+        regex:
+          - '\"(db_password|database_password|mysql_password|postgresql_password|mongo_password)\":\s*\"([^\"]{8,})\"'
+          - '\"(connection_string|connection_url|database_url)\":\s*\"([^\"]+)\"'
+
+      - type: regex
+        name: endpoints
+        regex:
+          - '\"(url|endpoint|uri|host|server)\":\s*\"(https?://[^\"]+)\"'
+          - '\"(webhook|callback)\":\s*\"(https?://[^\"]+)\"'
+
+      # New specific extractors
+      - type: regex
+        name: base_urls
+        regex:
+          - '"baseUrl":\s*"(https?://[^"]+)"'
+          - '"baseURL":\s*"(https?://[^"]+)"'
+          - '"fileUrl":\s*"(https?://[^"]+)"'
+          - '"loginAppUrl":\s*"(https?://[^"]+)"'
+          - '"aimBaseUrl":\s*"(https?://[^"]+)"'
+
+      - type: regex
+        name: access_codes
+        regex:
+          - '"accessCode":\s*"([A-Za-z0-9+/=]{40,})"'
+          - '"recaptchaSiteKey":\s*"([A-Za-z0-9_-]{40,})"'
+
+      - type: regex
+        name: token_config
+        regex:
+          - '"tokenExpire":\s*(\d+)'
+          - '"refreshTokenExpire":\s*(\d+)'
+
+      - type: regex
+        name: environment
+        regex:
+          - '"production":\s*(true|false)'
+
+      - type: regex
+        name: sensitive_endpoints
+        regex:
+          - 'https?://[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/(?:login|api|admin|dashboard|auth)'