Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Detect Python Exposed Metrics" module is designed to identify potential information disclosure vulnerabilities in Python applications. It specifically targets the exposure of sensitive metrics through the "/metrics" endpoint. This module has a low severity level and was authored by dhiyaneshDK.
If the exposed metrics are not properly secured, an attacker may be able to gain access to sensitive information about the Python application, such as garbage collection data and Python version details. This could potentially lead to further exploitation or unauthorized access.
The module works by sending a GET request to the "/metrics" endpoint of the target Python application. It then applies matching conditions to determine if the application is exposing specific metrics and if the response status is 200 (OK).
Matching conditions:
- The response body must contain the following words:python_gc_objects_collected_total
and python_info
.
- The response status must be 200 (OK).
If both conditions are met, the module will report a vulnerability.
Example HTTP request:
GET /metrics
For more information, refer to the following reference: https://gist.github.com/ruanbekker/e5b1e7895f62b020ff29b5f40767190c
Metadata:
- Max request: 1 - Shodan query: html: "python_gc_objects_collected_total"