Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "NPM Debug Log Disclosure" module is designed to detect the exposure of sensitive information through the presence of the npm-debug.log file. This module targets applications that use npm, a package manager for JavaScript, and scans for the presence of the npm-debug.log file, which may contain verbose command-line interface (CLI) and stack trace information. The severity of this vulnerability is classified as low.
This module was authored by Hardik-Solanki.
If the npm-debug.log file is exposed, it may reveal sensitive information such as verbose CLI commands and stack traces. This information can potentially aid attackers in understanding the inner workings of the application and identifying potential vulnerabilities or weaknesses.
The "NPM Debug Log Disclosure" module works by sending HTTP requests to specific paths, such as "/npm-debug.log" and "/assets/npm-debug.log". It then applies matching conditions to determine if the exposed file contains verbose CLI or stack trace information and if the response status is 200 (OK).
For example, one of the matching conditions checks if the response body contains the words "verbose cli" or "verbose stack". If both the matching conditions are met, the module reports a vulnerability.
It is important to note that this module does not provide the JSON definitions of the requests and conditions, but rather focuses on the technical aspects of its functionality.
For more information, you can refer to the following resources:
- https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt - https://docs.npmjs.com/generating-and-locating-npm-debug.log-filesMetadata:
- Verified: true - Github query: filename:npm-debug.log