mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-07 21:07:05 -07:00
6a8ce9c07b
modules/recon/vault-api-exposure.yaml flags an internet reachable HashiCorp Vault through its unauthenticated seal-status, keyed on the sealed flag paired with a vault-only status field, then extracts the version for cve matching. modules/recon/consul-api-exposure.yaml flags a Consul http api that answers without an acl token, keyed on the Datacenter field paired with an agent or node marker, then extracts the datacenter. modules/recon/etcd-api-exposure.yaml flags an exposed etcd through its version endpoint, keyed on the etcdserver and etcdcluster fields that a generic version response does not carry, then extracts the server version. internal/modules/orchestration_api_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a sealed flag with no vault field, a datacenter field alone, a version response from another service, a partial etcd reply, a plain 200 body and a 404, none of which may match. verify: go test ./internal/modules, each matcher and extractor proven to bite (break -> red, restore -> green).
40 lines
714 B
YAML
40 lines
714 B
YAML
# etcd API Exposure Detection Module
|
|
|
|
id: etcd-api-exposure
|
|
info:
|
|
name: etcd API Exposure
|
|
author: sif
|
|
severity: high
|
|
description: Detects an exposed etcd api whose keyspace often holds kubernetes secrets
|
|
tags: [etcd, kubernetes, key-value, api, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/version"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"etcdserver\""
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "\"etcdcluster\""
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: etcd_version
|
|
part: body
|
|
regex:
|
|
- '"etcdserver"\s*:\s*"([0-9]+\.[0-9]+\.[0-9]+)"'
|
|
group: 1
|