Files
sif/modules/recon/netdata-api-exposure.yaml
T
Tigah b31234c1bc feat(modules): add netdata and cadvisor exposure modules (#217)
modules/recon/netdata-api-exposure.yaml flags an exposed Netdata agent through its
unauthenticated /api/v1/info endpoint, keyed on the mirrored_hosts and cores_total
fields a generic info response does not carry, then extracts the agent version.

modules/recon/cadvisor-api-exposure.yaml flags an exposed cAdvisor container monitor
through its /api/v1.3/machine endpoint, keyed on the machine_id and cpu_frequency_khz
fields, then extracts the machine id.

internal/modules/metrics_exposure_test.go drives both modules through
ExecuteHTTPModule and asserts the leak alongside the near misses a strict review
wants pinned: each service with one keying field missing, a generic json, a plain 200
and a 404.

verify: go test ./internal/modules, each matcher and extractor proven to bite
(break -> red, restore -> green).
2026-06-22 19:52:30 -07:00

40 lines
718 B
YAML

# Netdata API Exposure Detection Module
id: netdata-api-exposure
info:
name: Netdata API Exposure
author: sif
severity: medium
description: Detects an exposed Netdata agent through its unauthenticated info endpoint
tags: [netdata, monitoring, metrics, api, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/api/v1/info"
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "\"mirrored_hosts\""
- type: word
part: body
words:
- "\"cores_total\""
extractors:
- type: regex
name: netdata_version
part: body
regex:
- '"version"\s*:\s*"([^"]+)"'
group: 1