Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Composer Config - Detect

By kannthu

Informative
Vidoc logoVidoc Module
#config#exposure
Description

Module: Composer Config - Detect

What is the "Composer Config - Detect" module?

The "Composer Config - Detect" module is designed to detect misconfigurations in Composer configuration files. Composer is a dependency management tool for PHP that allows developers to manage and install packages in their projects. This module specifically focuses on identifying any misconfigurations in the Composer configuration files, such as composer.json and composer.lock.

This module has an informative severity level, which means it provides valuable information about potential misconfigurations but does not pose an immediate security risk.

Impact

The misconfigurations detected by the "Composer Config - Detect" module can have various impacts on a PHP project. These misconfigurations can lead to compatibility issues, incorrect package versions, or even security vulnerabilities. By identifying and addressing these misconfigurations, developers can ensure the stability and security of their Composer-managed projects.

How the module works?

The "Composer Config - Detect" module works by sending HTTP requests to specific paths in the project's file system, including composer.json, composer.lock, .composer/composer.json, and vendor/composer/installed.json. It then applies matching conditions to analyze the responses and determine if any misconfigurations are present.

For example, one of the matching conditions checks if the response body of the composer.lock file contains the keyword "packages" and if the response headers indicate an "application/octet-stream" content type with a status code of 200. Similarly, another matching condition checks if the response body of the composer.json file contains the keyword "require" and if the response headers indicate an "application/json" content type with a status code of 200.

By evaluating these matching conditions, the module can identify misconfigurations in the Composer configuration files and provide developers with actionable insights to resolve them.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/composer.json/composer.lock/.composer/composer....(+1 paths)
Matching conditions
dsl: contains(body, `packages`) && contains(t...and
dsl: contains(body, `require`) && contains(to...
Passive global matcher
No matching conditions.
On match action
Report vulnerability