mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
caeff3944d
modules/recon/docker-api-exposure.yaml flags an unauthenticated Docker Engine api, keyed on the api version paired with the minimum api version that a generic version endpoint does not carry, then extracts the engine version. modules/recon/kubernetes-api-exposure.yaml flags an internet reachable Kubernetes api server through its anonymous version endpoint, keyed on the git version paired with a build field, then extracts the version. modules/recon/kubelet-api-exposure.yaml flags an exposed kubelet whose pod list leaks the cluster workload, keyed on the PodList kind paired with an api version, then extracts a pod namespace. internal/modules/runtime_api_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a generic version response, each service with one keying field missing, a service list that is not a pod list, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).
40 lines
734 B
YAML
40 lines
734 B
YAML
# Docker Engine API Exposure Detection Module
|
|
|
|
id: docker-api-exposure
|
|
info:
|
|
name: Docker Engine API Exposure
|
|
author: sif
|
|
severity: critical
|
|
description: Detects an unauthenticated Docker Engine api that grants control of the host
|
|
tags: [docker, container, api, rce, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/version"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"ApiVersion\""
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"MinAPIVersion\""
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: docker_version
|
|
part: body
|
|
regex:
|
|
- '"Engine"[^}]*?"Version"\s*:\s*"([^"]+)"'
|
|
group: 1
|