Files
sif/modules/recon/etcd-api-exposure.yaml
T
Tigah 6a8ce9c07b feat(modules): add vault, consul and etcd api exposure modules (#207)
modules/recon/vault-api-exposure.yaml flags an internet reachable HashiCorp
Vault through its unauthenticated seal-status, keyed on the sealed flag paired
with a vault-only status field, then extracts the version for cve matching.

modules/recon/consul-api-exposure.yaml flags a Consul http api that answers
without an acl token, keyed on the Datacenter field paired with an agent or
node marker, then extracts the datacenter.

modules/recon/etcd-api-exposure.yaml flags an exposed etcd through its version
endpoint, keyed on the etcdserver and etcdcluster fields that a generic version
response does not carry, then extracts the server version.

internal/modules/orchestration_api_exposure_test.go drives the three modules
end to end through ExecuteHTTPModule and asserts the leak alongside the near
misses a strict review wants pinned: a sealed flag with no vault field, a
datacenter field alone, a version response from another service, a partial etcd
reply, a plain 200 body and a 404, none of which may match.

verify: go test ./internal/modules, each matcher and extractor proven to bite
(break -> red, restore -> green).
2026-06-22 17:13:07 -07:00

40 lines
714 B
YAML

# etcd API Exposure Detection Module
id: etcd-api-exposure
info:
name: etcd API Exposure
author: sif
severity: high
description: Detects an exposed etcd api whose keyspace often holds kubernetes secrets
tags: [etcd, kubernetes, key-value, api, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/version"
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "\"etcdserver\""
- type: word
part: body
words:
- "\"etcdcluster\""
extractors:
- type: regex
name: etcd_version
part: body
regex:
- '"etcdserver"\s*:\s*"([0-9]+\.[0-9]+\.[0-9]+)"'
group: 1