Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

NPM Debug Log Disclosure

By kannthu

Low
Vidoc logoVidoc Module
#exposure#npm#logs#debug
Description

What is the "NPM Debug Log Disclosure?"

The "NPM Debug Log Disclosure" module is designed to detect the exposure of sensitive information through the presence of the npm-debug.log file. This module targets applications that use npm, a package manager for JavaScript, and scans for the presence of the npm-debug.log file, which may contain verbose command-line interface (CLI) and stack trace information. The severity of this vulnerability is classified as low.

This module was authored by Hardik-Solanki.

Impact

If the npm-debug.log file is exposed, it may reveal sensitive information such as verbose CLI commands and stack traces. This information can potentially aid attackers in understanding the inner workings of the application and identifying potential vulnerabilities or weaknesses.

How does the module work?

The "NPM Debug Log Disclosure" module works by sending HTTP requests to specific paths, such as "/npm-debug.log" and "/assets/npm-debug.log". It then applies matching conditions to determine if the exposed file contains verbose CLI or stack trace information and if the response status is 200 (OK).

For example, one of the matching conditions checks if the response body contains the words "verbose cli" or "verbose stack". If both the matching conditions are met, the module reports a vulnerability.

It is important to note that this module does not provide the JSON definitions of the requests and conditions, but rather focuses on the technical aspects of its functionality.

For more information, you can refer to the following resources:

- https://github.com/maurosoria/dirsearch/blob/master/db/dicc.txt - https://docs.npmjs.com/generating-and-locating-npm-debug.log-files

Metadata:

- Verified: true - Github query: filename:npm-debug.log

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/npm-debug.log/assets/npm-debug.lo...
Matching conditions
word: verbose cli, verbose stackand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability