Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Golang expvar Information Disclosure

By kannthu

Low
Vidoc logoVidoc Module
#go#debug#exposure
Description

Golang expvar Information Disclosure

What is the "Golang expvar Information Disclosure?"

The "Golang expvar Information Disclosure" module is designed to detect the presence of an information disclosure vulnerability in Golang applications. This vulnerability can potentially expose sensitive information about the application's internal state, such as memory statistics and command-line arguments. The severity of this vulnerability is classified as low.

This module was authored by luqman.

Impact

If the Golang expvar information disclosure vulnerability is present, an attacker may be able to gain insights into the application's internal workings, which could aid in further attacks or exploitation.

How does the module work?

The module sends an HTTP GET request to the "/debug/vars" path of the target application. It then applies matching conditions to determine if the vulnerability is present.

The matching conditions for this module are:

- The response body must contain the words "\"memstats\":" and "\"cmdline\":" - The response status code must be 200

If both conditions are met, the module will report the vulnerability.

Here is an example of the HTTP request sent by the module:

GET /debug/vars

Please note that the actual JSON definitions of the module are not shown here for brevity.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/debug/vars
Matching conditions
word: "memstats":, "cmdline":and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability