mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-07 12:57:09 -07:00
28a01f0f83
modules/recon/riak-api-exposure.yaml flags an exposed Riak http api reachable without authentication, keyed on the riak kv version paired with the core version, then extracts the kv version. modules/recon/couchbase-api-exposure.yaml flags an exposed Couchbase cluster management api, keyed on the implementation version paired with the components version that the bootstrap pool reports, then extracts the implementation version. modules/recon/druid-api-exposure.yaml flags an exposed Apache Druid process that runs without authentication, keyed on the druid package namespace paired with the process memory block, then extracts the druid version. internal/modules/distributed_db_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: each service with one keying field missing, a generic version response, a plain 200 and a 404. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).
40 lines
765 B
YAML
40 lines
765 B
YAML
# Couchbase Cluster API Exposure Detection Module
|
|
|
|
id: couchbase-api-exposure
|
|
info:
|
|
name: Couchbase Cluster API Exposure
|
|
author: sif
|
|
severity: medium
|
|
description: Detects an exposed Couchbase cluster management api that leaks the build and topology
|
|
tags: [couchbase, database, api, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/pools"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"implementationVersion\""
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"componentsVersion\""
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: couchbase_version
|
|
part: body
|
|
regex:
|
|
- '"implementationVersion"\s*:\s*"([^"]+)"'
|
|
group: 1
|