Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Config Ruby File Disclosure

By kannthu

Informative
Vidoc logoVidoc Module
#ruby#devops#exposure#config
Description

What is the "Config Ruby File Disclosure?"

The "Config Ruby File Disclosure" module is designed to detect misconfigurations in Ruby applications that may expose sensitive configuration files. It targets Ruby-based applications and checks for the presence of certain files, such as "config.rb", ".chef/config.rb", and "assets/config.rb".

This module has an informative severity level, meaning it provides valuable information but does not indicate a critical vulnerability.

This module was authored by DhiyaneshDK.

Impact

If a misconfiguration is detected, it could potentially expose sensitive information contained within the configuration files. This could include credentials, API keys, or other sensitive data that could be leveraged by an attacker.

How does the module work?

The "Config Ruby File Disclosure" module works by sending HTTP requests to specific paths where configuration files are commonly located. It then applies matching conditions to determine if a misconfiguration is present.

For example, one of the matching conditions checks if the response status is 200, indicating that the file was successfully accessed. Additionally, it checks for the presence of specific words, such as "images_dir" and "css_dir", within the file content.

Here is an example of an HTTP request sent by the module:

GET /config.rb

The module checks if the response status is 200 and if the words "images_dir" and "css_dir" are present in the file content. If both conditions are met, a misconfiguration is detected.

By using this module, you can identify potential misconfigurations in Ruby applications and take appropriate actions to secure sensitive configuration files.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/config.rb/.chef/config.rb/assets/config.rb
Matching conditions
word: images_dir, css_dirand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability