Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

etcd Unauthenticated HTTP API Leak

By kannthu

High
Vidoc logoVidoc Module
#misconfig#hackerone#unauth#etcd
Description

What is the "etcd Unauthenticated HTTP API Leak?"

The "etcd Unauthenticated HTTP API Leak" module is designed to detect a misconfiguration vulnerability in the etcd software. Etcd is a distributed key-value store used for shared configuration and service discovery in cloud-native applications. This module focuses on an unauthenticated HTTP API leak, which can lead to unauthorized access to sensitive information.

This vulnerability has a high severity level, indicating the potential for significant impact if exploited.

Author: dhiyaneshDk

Impact

If the etcd Unauthenticated HTTP API Leak vulnerability is present, an attacker can gain unauthorized access to the etcd server and retrieve sensitive information. This can include roles, permissions, and key-value data stored within the etcd cluster. The leaked information can be used to further exploit the system or compromise the security of the application relying on etcd.

How the module works?

The module works by sending an HTTP GET request to the "/v2/auth/roles" endpoint of the target etcd server. It then applies a set of matching conditions to determine if the vulnerability is present.

The matching conditions include:

- The response body must contain specific keywords such as "roles," "permissions," "role," and "kv." - The response headers must indicate either "text/plain" or "application/json" content types. - The HTTP response status code must be 200.

If all the matching conditions are met, the module reports the vulnerability, indicating the presence of the etcd Unauthenticated HTTP API Leak.

Example HTTP request:

GET /v2/auth/roles

Note: The above example is a simplified representation of the HTTP request. The actual module definition contains additional details and conditions.

For more information, refer to the HackerOne report.

Metadata: max-request: 1

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/v2/auth/roles
Matching conditions
word: "roles", "permissions", "role", "kv"and
word: text/plain, application/jsonand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability