Files
sif/modules/recon/docker-api-exposure.yaml
T
Tigah caeff3944d feat(modules): add docker, kubernetes and kubelet api exposure modules (#212)
modules/recon/docker-api-exposure.yaml flags an unauthenticated Docker Engine
api, keyed on the api version paired with the minimum api version that a generic
version endpoint does not carry, then extracts the engine version.

modules/recon/kubernetes-api-exposure.yaml flags an internet reachable Kubernetes
api server through its anonymous version endpoint, keyed on the git version
paired with a build field, then extracts the version.

modules/recon/kubelet-api-exposure.yaml flags an exposed kubelet whose pod list
leaks the cluster workload, keyed on the PodList kind paired with an api version,
then extracts a pod namespace.

internal/modules/runtime_api_exposure_test.go drives the three modules end to end
through ExecuteHTTPModule and asserts the leak alongside the near misses a strict
review wants pinned: a generic version response, each service with one keying
field missing, a service list that is not a pod list, a plain 200 and a 404.

verify: go test ./internal/modules, each matcher and extractor proven to bite
(break -> red, restore -> green).
2026-06-22 19:52:25 -07:00

40 lines
734 B
YAML

# Docker Engine API Exposure Detection Module
id: docker-api-exposure
info:
name: Docker Engine API Exposure
author: sif
severity: critical
description: Detects an unauthenticated Docker Engine api that grants control of the host
tags: [docker, container, api, rce, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/version"
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "\"ApiVersion\""
- type: word
part: body
words:
- "\"MinAPIVersion\""
extractors:
- type: regex
name: docker_version
part: body
regex:
- '"Engine"[^}]*?"Version"\s*:\s*"([^"]+)"'
group: 1