Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Discover development log files

By kannthu

Informative
Vidoc logoVidoc Module
#logs#exposure#rails
Description

What is "Discover development log files?"

The "Discover development log files" module is designed to detect misconfigurations in the development log files of a software application. It specifically targets applications built with the Rails framework. The severity of this module is classified as informative, meaning it provides valuable information but does not pose a direct vulnerability. The original author of this module is geeknik.

Impact

This module does not have a direct impact on the security of the application. However, it can help identify potential misconfigurations in the development log files, which may lead to security vulnerabilities if left unaddressed.

How does the module work?

The "Discover development log files" module works by sending HTTP requests to specific paths commonly used for accessing development log files in Rails applications. It then applies matching conditions to analyze the responses and determine if any misconfigurations or vulnerabilities are present.

For example, one of the matching conditions checks for specific words in the response body, such as "Connecting to database specified by database.yml" or "Started GET". If these words are found, it indicates that the log file may contain sensitive information or potential security issues.

Other matching conditions include checking for certain words in the response headers, such as "text/html", which can indicate that the log file is being exposed as HTML instead of being properly protected. Additionally, the module verifies that the HTTP response status is 200, indicating a successful request.

By analyzing these matching conditions, the module helps identify potential misconfigurations or vulnerabilities in the development log files of Rails applications.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/log/development.log/logs/development.lo.../development.log
Matching conditions
word: Connecting to database specified by data...and
word: DEPRECATION WARNING, CREATE TABLEand
NOT word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability