Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
Composer-auth Json File Disclosure is a module designed to detect a misconfiguration vulnerability in applications that use the Composer package manager. This module focuses on the exposure of sensitive information through the disclosure of the ".composer-auth.json" file. The severity of this vulnerability is classified as low.
If the ".composer-auth.json" file is exposed, it can potentially reveal sensitive information such as GitHub OAuth tokens and related configurations. This can lead to unauthorized access to GitHub repositories and other associated resources.
The module sends HTTP requests to specific paths, including "/.composer-auth.json" and "/vendor/webmozart/assert/.composer-auth.json". It then applies matching conditions to determine if the vulnerability is present.
Matching conditions:
- The response must contain the words "github-oauth" and "github.com". - The response status code must be 200.If both conditions are met, the module reports the vulnerability.
Example HTTP request:
GET /.composer-auth.json
Note: The actual JSON definitions of the module are not shown here for simplicity.