Files
sif/modules/recon/dgraph-api-exposure.yaml
T
Tigah 3a289a3ac4 feat(modules): add clickhouse and dgraph exposure modules (#258)
add recon modules for self-hosted databases whose http interface is reachable
without credentials: clickhouse runs arbitrary sql because the default user has
an empty password, confirmed here by reading the server version through the
http interface, and the open-source dgraph alpha has no authentication so its
/health endpoint discloses the cluster while /query and /admin read and drop
all data; a clickhouse that requires a password returns 403 and an alpha behind
an authenticating proxy returns 401 and neither is flagged.
2026-07-02 13:22:24 -07:00

42 lines
833 B
YAML

# Dgraph Alpha API Exposure Detection Module
id: dgraph-api-exposure
info:
name: Dgraph Alpha API Exposure
author: sif
severity: medium
description: Detects a Dgraph Alpha whose unauthenticated health api leaks the cluster members and versions and serves read and admin apis
tags: [dgraph, graph-database, database, exposure, unauth, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/health"
matchers:
- type: regex
part: body
regex:
- '"instance"\s*:\s*"alpha"'
- type: word
part: body
words:
- "\"max_assigned\""
- "\"lastEcho\""
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: dgraph_version
part: body
regex:
- '"version"\s*:\s*"([^"]+)"'
group: 1