Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

webpack config disclosure

By kannthu

Informative
Vidoc logoVidoc Module
#config#exposure
Description

What is the "webpack config disclosure?"

The "webpack config disclosure" module is designed to detect misconfigurations in web projects that use webpack for bundling. It targets the "webpack.config.js" file, which contains metadata relevant to the project. This module is authored by ambassify and has an informative severity level.

Impact

If a misconfiguration is detected in the webpack configuration file, it could potentially expose sensitive information or allow unauthorized access to the project's resources. This can lead to security vulnerabilities and compromise the integrity of the web application.

How does the module work?

The "webpack config disclosure" module works by sending an HTTP GET request to the "/webpack.config.js" path. It then applies several matching conditions to determine if a misconfiguration is present:

- The module checks if the response body contains the keywords "module.exports" or "const". - It verifies if the response header includes the content types "application/javascript" or "text/javascript". - The module also ensures that the HTTP response status is 200 (OK).

If all of these conditions are met, the module flags the webpack configuration file as potentially misconfigured.

Example HTTP request:

GET /webpack.config.js

Note: The above example is a simplified representation of the HTTP request sent by the module.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/webpack.config.js
Matching conditions
word: module.exports, constand
word: application/javascript, text/javascriptand
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability