Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

JavaScript Environment Config

By kannthu

Low
Vidoc logoVidoc Module
#javascript#config#exposure
Description

What is the "JavaScript Environment Config?"

The "JavaScript Environment Config" module is designed to detect common JavaScript environment configuration files. It targets JavaScript applications and scans for misconfigurations that could potentially lead to security vulnerabilities. The severity of this module is classified as low. The original authors of this module are pdp and geeknik.

Impact

This module helps identify potential misconfigurations in JavaScript environment files, which can have various impacts on the security and functionality of the application. By detecting these misconfigurations, developers can take appropriate measures to mitigate any risks and ensure the proper functioning of their JavaScript applications.

How the module works?

The "JavaScript Environment Config" module works by sending HTTP requests to specific paths that commonly contain JavaScript environment configuration files. It then applies a set of matching conditions to determine if the files meet the expected criteria.

For example, one of the matching conditions checks if the HTTP response status is 200, indicating a successful request. Additionally, the module checks if the response headers contain the "content-type: application/javascript" header, ensuring that the file is indeed a JavaScript file.

The module also examines the file's body for specific keywords related to environment configuration, such as "module.exports", "const audience", "const domain", "NODE_ENV", "LOG_LEVEL", "TOKEN", "KEY", "PASSWORD", and "VERSION". If any of these keywords are found, it indicates the presence of environment configuration information.

On the other hand, the module excludes files that contain certain keywords like "Bootstrap", "jQuery", and "CSS TRANSITION SUPPORT", as they are not relevant to environment configuration and may produce false positives.

By combining these matching conditions, the "JavaScript Environment Config" module effectively identifies JavaScript environment configuration files and provides valuable insights for developers to ensure proper configuration and security of their applications.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/env.js/env.development.js/env.production.js(+3 paths)
Matching conditions
status: 200and
dsl: contains(toLower(all_headers), `content-...and
word: module.exports, const audience, const do...and
NOT word: Bootstrap, jQuery, CSS TRANSITION SUPPOR...
Passive global matcher
No matching conditions.
On match action
Report vulnerability