Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Detect exposed instance of Elasticsearch

By kannthu

High
Vidoc logoVidoc Module
#elastic#unauth#elasticsearch#exposure
Description

What is the "Detect exposed instance of Elasticsearch" module?

The "Detect exposed instance of Elasticsearch" module is designed to identify instances of Elasticsearch that have been exposed to the internet without proper authentication or authorization measures in place. Elasticsearch is a powerful search engine and data analysis tool commonly used to store and index sensitive information.

This module focuses on detecting misconfigurations and vulnerabilities in Elasticsearch instances, helping organizations identify potential security risks and take appropriate actions to secure their systems.

This module has a severity level of high, indicating that the identified vulnerabilities or misconfigurations can pose significant risks to the security and integrity of Elasticsearch instances.

Impact

If an instance of Elasticsearch is exposed without proper authentication or authorization measures, it can lead to unauthorized access, data breaches, and potential compromise of sensitive information. Attackers may exploit the exposed instance to perform unauthorized operations, extract sensitive data, or disrupt the Elasticsearch service.

How does the module work?

The "Detect exposed instance of Elasticsearch" module utilizes HTTP request templates and matching conditions to identify exposed instances of Elasticsearch. It sends HTTP GET requests to the target Elasticsearch server and analyzes the responses to determine if the instance is exposed and vulnerable.

Here is an example of an HTTP request used by the module:

GET /_search

The module applies several matching conditions to the response to confirm the presence of an exposed Elasticsearch instance:

- The response body must contain the words "took", "hits", and "total". - The response body must not contain the HTML tags <html> or <body>. - The HTTP status code must be 200.

In addition to these specific matching conditions, the module also checks for the presence of certain keywords in the response body, such as "cluster_name" and "You Know, for Search", to further confirm the presence of an exposed Elasticsearch instance.

By analyzing the responses and matching conditions, the module can accurately detect instances of Elasticsearch that have been exposed to the internet without proper security measures.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/_search
Matching conditions
word: "took":, "hits":, "total":and
dsl: !contains(tolower(body), '<html'), !cont...and
status: 200
Passive global matcher
word: cluster_nameand
word: You Know, for Search
On match action
Report vulnerability