Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Node Shrinkwrap Exposure

By kannthu

Informative
Vidoc logoVidoc Module
#config#exposure#npm#files
Description

What is the "Node Shrinkwrap Exposure?"

The "Node Shrinkwrap Exposure" module is designed to detect misconfigurations in the npm-shrinkwrap.json file of a Node.js project. It targets projects that use npm as their package manager. This module has an informative severity level, meaning it provides information about potential vulnerabilities or misconfigurations without actively exploiting them. The original author of this module is DhiyaneshDk.

Impact

This module helps identify potential security risks in the npm-shrinkwrap.json file. By detecting misconfigurations, it allows developers to address vulnerabilities and ensure the integrity of their Node.js projects. It provides valuable insights into the project's dependencies and versions, helping to prevent potential security breaches.

How does the module work?

The "Node Shrinkwrap Exposure" module works by sending an HTTP GET request to the "/npm-shrinkwrap.json" path. It then applies a set of matching conditions to determine if the response contains relevant information. The matching conditions include checking for the presence of keywords like "version" and "dependencies" in the response body, ensuring that the response headers indicate the content type as "application/json," and verifying that the response status is 200 (OK).

For example, if the target project has a valid npm-shrinkwrap.json file, the module will detect it based on the matching conditions. It will provide a report indicating that the file is exposed and accessible.

It's important to note that this module does not actively exploit any vulnerabilities or modify the target system. Instead, it focuses on identifying potential misconfigurations that could lead to security issues.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/npm-shrinkwrap.json
Matching conditions
word: version, dependenciesand
word: application/jsonand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability