Files
sif/modules/recon/couchbase-api-exposure.yaml
T
Tigah 28a01f0f83 feat(modules): add riak, couchbase and druid api exposure modules (#216)
modules/recon/riak-api-exposure.yaml flags an exposed Riak http api reachable
without authentication, keyed on the riak kv version paired with the core version,
then extracts the kv version.

modules/recon/couchbase-api-exposure.yaml flags an exposed Couchbase cluster
management api, keyed on the implementation version paired with the components
version that the bootstrap pool reports, then extracts the implementation version.

modules/recon/druid-api-exposure.yaml flags an exposed Apache Druid process that
runs without authentication, keyed on the druid package namespace paired with the
process memory block, then extracts the druid version.

internal/modules/distributed_db_exposure_test.go drives the three modules end to
end through ExecuteHTTPModule and asserts the leak alongside the near misses a
strict review wants pinned: each service with one keying field missing, a generic
version response, a plain 200 and a 404.

verify: go test ./internal/modules, each matcher and extractor proven to bite
(break -> red, restore -> green).
2026-06-22 17:06:51 -07:00

40 lines
765 B
YAML

# Couchbase Cluster API Exposure Detection Module
id: couchbase-api-exposure
info:
name: Couchbase Cluster API Exposure
author: sif
severity: medium
description: Detects an exposed Couchbase cluster management api that leaks the build and topology
tags: [couchbase, database, api, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/pools"
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "\"implementationVersion\""
- type: word
part: body
words:
- "\"componentsVersion\""
extractors:
- type: regex
name: couchbase_version
part: body
regex:
- '"implementationVersion"\s*:\s*"([^"]+)"'
group: 1