Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Composer-auth Json File Disclosure

By kannthu

Low
Vidoc logoVidoc Module
#exposure#devops#files
Description

Composer-auth Json File Disclosure

What is Composer-auth Json File Disclosure?

Composer-auth Json File Disclosure is a module designed to detect a misconfiguration vulnerability in applications that use the Composer package manager. This module focuses on the exposure of sensitive information through the disclosure of the ".composer-auth.json" file. The severity of this vulnerability is classified as low.

Impact

If the ".composer-auth.json" file is exposed, it can potentially reveal sensitive information such as GitHub OAuth tokens and related configurations. This can lead to unauthorized access to GitHub repositories and other associated resources.

How the module works?

The module sends HTTP requests to specific paths, including "/.composer-auth.json" and "/vendor/webmozart/assert/.composer-auth.json". It then applies matching conditions to determine if the vulnerability is present.

Matching conditions:

- The response must contain the words "github-oauth" and "github.com". - The response status code must be 200.

If both conditions are met, the module reports the vulnerability.

Example HTTP request:

GET /.composer-auth.json

Note: The actual JSON definitions of the module are not shown here for simplicity.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/.composer-auth.json/vendor/webmozart/as...
Matching conditions
word: github-oauth, github.comand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability