Files
sif/modules/recon/qdrant-api-exposure.yaml
T
Tigah 7788550722 feat(modules): add qdrant, weaviate and chroma exposure modules (#222)
modules/recon/qdrant-api-exposure.yaml flags a Qdrant vector database that
serves its collections without an api key, keyed on the result envelope wrapping
a collections array paired with the ok status, then extracts the first
collection name. Qdrant gates /collections behind the api key, so an answer here
means the catalog is readable.

modules/recon/weaviate-api-exposure.yaml flags a Weaviate vector database that
leaks its host address and version over the meta api, keyed on the url-valued
hostname paired with the version field, then extracts the hostname. Weaviate
drops the modules field when none are enabled, so the match leans on the
hostname, which it always renders as a scheme and host.

modules/recon/chroma-api-exposure.yaml flags a reachable Chroma vector database
by its heartbeat api on both the v1 and v2 paths, keyed on the nanosecond
heartbeat field. The heartbeat stays anonymous by design, so this is rated as a
reachability signal rather than an auth bypass.

internal/modules/vector_db_exposure_test.go drives the three modules end to end
through ExecuteHTTPModule and asserts the leak alongside the near misses a strict
review wants pinned: each service with one keying field missing, a bare hostname,
a generic version response, a plain 200 and a 404.

verify: go test ./internal/modules, each matcher and extractor proven to bite
(break -> red, restore -> green).
2026-06-22 16:54:03 -07:00

40 lines
787 B
YAML

# Qdrant Collections API Exposure Detection Module
id: qdrant-api-exposure
info:
name: Qdrant Collections API Exposure
author: sif
severity: high
description: Detects a Qdrant vector database serving its collections without an api key
tags: [qdrant, vector, database, api, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/collections"
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- '"result"\s*:\s*\{\s*"collections"'
- type: regex
part: body
regex:
- '"status"\s*:\s*"ok"'
extractors:
- type: regex
name: qdrant_collection
part: body
regex:
- '"collections"\s*:\s*\[\s*\{[^}]*?"name"\s*:\s*"([^"]+)"'
group: 1