Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Oauth Credentials Json

By kannthu

Low
Vidoc logoVidoc Module
#exposure#oauth#files
Description

What is the "Oauth Credentials Json?"

The "Oauth Credentials Json" module is designed to detect misconfigurations related to the exposure of OAuth credentials in JSON files. OAuth credentials are used for authentication and authorization in various applications and services. This module focuses on identifying instances where the "client_id" and "client_secret" values are exposed in the "oauth-credentials.json" file.

This module has a low severity level, indicating that the potential impact of the exposure is relatively limited. However, it is still important to address this issue to prevent unauthorized access to sensitive information.

This module was authored by DhiyaneshDK.

Impact

If the OAuth credentials are exposed in the "oauth-credentials.json" file, it can potentially lead to unauthorized access to the associated application or service. Attackers who gain access to these credentials may be able to impersonate legitimate users, access sensitive data, or perform unauthorized actions.

How does the module work?

The "Oauth Credentials Json" module works by sending a GET request to the "/oauth-credentials.json" path. It then applies matching conditions to determine if the file contains the "client_id" and "client_secret" values and if the response status is 200 (OK).

The matching conditions used in this module are:

- Check if the "client_id" and "client_secret" values are present in the file. - Verify that the response status is 200 (OK).

If both conditions are met, the module will report a vulnerability, indicating that the OAuth credentials are exposed in the JSON file.

Example HTTP request:

GET /oauth-credentials.json

Note: The actual JSON definitions of the module are not shown here for simplicity.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/oauth-credentials.j...
Matching conditions
word: "client_id":, "client_secret":and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability