mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 03:45:08 -07:00
b31234c1bc
modules/recon/netdata-api-exposure.yaml flags an exposed Netdata agent through its unauthenticated /api/v1/info endpoint, keyed on the mirrored_hosts and cores_total fields a generic info response does not carry, then extracts the agent version. modules/recon/cadvisor-api-exposure.yaml flags an exposed cAdvisor container monitor through its /api/v1.3/machine endpoint, keyed on the machine_id and cpu_frequency_khz fields, then extracts the machine id. internal/modules/metrics_exposure_test.go drives both modules through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: each service with one keying field missing, a generic json, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).
40 lines
718 B
YAML
40 lines
718 B
YAML
# Netdata API Exposure Detection Module
|
|
|
|
id: netdata-api-exposure
|
|
info:
|
|
name: Netdata API Exposure
|
|
author: sif
|
|
severity: medium
|
|
description: Detects an exposed Netdata agent through its unauthenticated info endpoint
|
|
tags: [netdata, monitoring, metrics, api, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/api/v1/info"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"mirrored_hosts\""
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"cores_total\""
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: netdata_version
|
|
part: body
|
|
regex:
|
|
- '"version"\s*:\s*"([^"]+)"'
|
|
group: 1
|