Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Go.mod Disclosure

By kannthu

Low
Vidoc logoVidoc Module
#exposure#files#go
Description

What is "Go.mod Disclosure"?

The "Go.mod Disclosure" module is designed to detect the exposure of go.mod files in the target. Go.mod is a configuration file used in Go programming language projects to declare dependencies and specify the module's characteristics. This module helps identify instances where the go.mod file is accessible to unauthorized users, potentially leading to information disclosure. The severity of this vulnerability is low.

Impact

The exposure of go.mod files can provide valuable information to attackers, such as the dependencies and characteristics of the Go project. This information can be used to identify potential vulnerabilities or exploit weaknesses in the project's dependencies. While the severity of this vulnerability is low, it is still important to ensure that go.mod files are properly protected to prevent unauthorized access.

How does the module work?

The "Go.mod Disclosure" module works by sending an HTTP GET request to the "/go.mod" path on the target. It then applies matching conditions to determine if the go.mod file is exposed. The matching conditions include checking for specific keywords like "module", "go", and "require (" in the response body, as well as verifying that the HTTP status code is 200 (OK).

Here is an example of an HTTP request sent by the module:

GET /go.mod

The module checks if the response body contains the keywords "module", "go", and "require (" in any order. It also verifies that the HTTP status code is 200. If both conditions are met, the module flags the go.mod file as exposed.

It is important to note that this module is just one test case within the Vidoc platform, which utilizes multiple modules to perform scanning and detection of various misconfigurations, vulnerabilities, and software fingerprints.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/go.mod
Matching conditions
word: module, go, require (and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability