Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

yarn lock file disclosure

By kannthu

Informative
Vidoc logoVidoc Module
#exposure#files
Description

yarn lock file disclosure

What is the "yarn lock file disclosure?"

The "yarn lock file disclosure" module is designed to detect the exposure of the yarn.lock file, which stores the versions of each Yarn dependency installed. Yarn is a package manager for JavaScript that helps manage dependencies in a project. This module focuses on identifying instances where the yarn.lock file is publicly accessible, potentially exposing sensitive information about the project's dependencies.

This module has an informative severity level, meaning it provides valuable information but does not indicate a direct vulnerability or misconfiguration.

Impact

If the yarn.lock file is exposed, it can potentially reveal the specific versions of dependencies used in a project. This information can be valuable to attackers as it may help them identify vulnerabilities or outdated dependencies that can be exploited.

How the module works?

The "yarn lock file disclosure" module works by sending an HTTP GET request to the "/yarn.lock" path. It then applies a set of matching conditions to determine if the yarn.lock file is exposed:

- The module checks if the response body contains the following words: "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY." and "# yarn lockfile v1". - It verifies that the response header includes the word "text/html". - Finally, it checks if the response status code is 200 (OK).

If all of these conditions are met, the module flags the exposure of the yarn.lock file.

It's important to note that this module does not modify or interact with the yarn.lock file or the project's dependencies. It solely focuses on detecting the exposure of the file.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/yarn.lock
Matching conditions
word: # THIS IS AN AUTOGENERATED FILE. DO NOT ...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability