Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Springboot Liquidbase API

By kannthu

Low
Vidoc logoVidoc Module
#misconfig#springboot#exposure#liquibase
Description

What is the "Springboot Liquidbase API?"

The "Springboot Liquidbase API" module is designed to detect misconfigurations in Spring Boot applications that use Liquibase for managing database changes. Liquibase is an open-source library that provides a way to track, manage, and apply database schema changes. This module focuses on identifying potential vulnerabilities and exposures related to Liquibase endpoints.

This module has a low severity level, indicating that the detected issues may have limited impact or pose a lower risk to the application.

Author: ELSFA7110

Impact

The "Springboot Liquidbase API" module aims to identify potential misconfigurations or vulnerabilities in the Liquibase endpoints of Spring Boot applications. By detecting these issues, it helps developers and security professionals ensure the proper configuration and security of the Liquibase API, preventing unauthorized access or unintended exposure of sensitive information.

How does the module work?

The "Springboot Liquidbase API" module works by sending HTTP requests to specific Liquibase endpoints and applying matching conditions to identify potential vulnerabilities or misconfigurations. It checks for the presence of specific keywords in the response body, headers, and the HTTP status code to determine if the Liquibase API is properly configured and secured.

For example, one of the HTTP requests sent by this module could be:

GET /liquibase

The module then applies the following matching conditions:

- The response body must contain the keywords "liquibase" and "\"FILENAME\":\"". - The response headers must include one of the following: "application/json", "application/vnd.spring-boot.actuator", "application/vnd.spring-boot.actuator.v1+json", or "application/vnd.spring-boot.actuator.v2+json". - The HTTP status code must be 200.

If all the matching conditions are met, the module will report a potential vulnerability or misconfiguration related to the Liquibase API.

For more information about Liquibase and its usage in Spring Boot applications, refer to the official Spring Boot documentation.

Metadata
verified: true

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/liquibase/actuator/liquibase
Matching conditions
word: liquibase, "FILENAME":"and
word: application/json, application/vnd.spring...and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability