Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Drupal JSON:API User Listing

By kannthu

Medium
Vidoc logoVidoc Module
#drupal#exposure
Description

What is the "Drupal JSON:API User Listing?" module?

The "Drupal JSON:API User Listing" module is a module designed to detect misconfigurations in Drupal websites that use the JSON:API module. It targets the Drupal software and aims to identify potential vulnerabilities or exposure related to user listing functionality. This module has a medium severity level and was authored by lixts.

Impact

This module helps identify any misconfigurations or vulnerabilities related to the user listing functionality in Drupal websites that use the JSON:API module. By detecting these issues, website administrators can take appropriate actions to secure their websites and protect user data.

How does the module work?

The "Drupal JSON:API User Listing" module works by sending HTTP requests to the "/jsonapi/user/user" endpoint of the targeted Drupal website. It then applies matching conditions to the responses received to determine if any misconfigurations or vulnerabilities exist.

One example of a matching condition used by this module is a regular expression that looks for the presence of a JSON object with the key "display_name" and a corresponding value. Additionally, the module checks if the HTTP response status is 200, indicating a successful request.

By analyzing the responses and matching conditions, the module can identify any potential misconfigurations or vulnerabilities related to the user listing functionality in Drupal websites using the JSON:API module.

For more information, you can refer to the Drupal.org project page.

Metadata: verified: true

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/jsonapi/user/user
Matching conditions
regex: \{"display_name":"([A-Sa-z0-9-_]+)"\}and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability