Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Ruby-on-Rails Database Configuration Exposure

By kannthu

Low
Vidoc logoVidoc Module
#config#exposure#rails
Description

What is the "Ruby-on-Rails Database Configuration Exposure?"

The "Ruby-on-Rails Database Configuration Exposure" module is designed to detect misconfigurations in the database configuration of Ruby-on-Rails applications. It targets the "database.yml" file, which contains sensitive information such as the database adapter, database name, and production settings. This module has a low severity level.

Original authors: pdteam, geeknik

Impact

If the database configuration is exposed, it can potentially lead to unauthorized access to the database and sensitive data. Attackers can exploit this vulnerability to gain unauthorized access to the application's database and manipulate or steal sensitive information.

How the module works?

The module sends an HTTP GET request to the "/config/database.yml" path. It then applies matching conditions to determine if the database configuration is exposed. The matching conditions include checking for specific keywords in the response body, such as "adapter:", "database:", and "production:", as well as verifying that the response status is 200 (OK).

Example HTTP request:

GET /config/database.yml

The module matches the response body against the keywords and ensures that the response status is 200. If both conditions are met, it reports a vulnerability.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/config/database.yml
Matching conditions
word: adapter:, database:, production:and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability