39 lines
1.1 KiB
YAML
39 lines
1.1 KiB
YAML
id: xpl-env-leak
|
|
info:
|
|
name: ".env File Exposure"
|
|
author: imtaqin
|
|
severity: high
|
|
description: |
|
|
Detects exposed .env files containing credentials, API keys,
|
|
or database passwords.
|
|
tags:
|
|
- exposure
|
|
- config
|
|
- credential-leak
|
|
reference:
|
|
- https://owasp.org/www-community/vulnerabilities/Information_exposure_through_files
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/.env"
|
|
- "{{BaseURL}}/.env.local"
|
|
- "{{BaseURL}}/.env.production"
|
|
- "{{BaseURL}}/.env.backup"
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status: [200]
|
|
# must contain actual env-style KEY=VALUE pairs with sensitive names
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "(?im)^(APP_KEY|DB_PASSWORD|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|SECRET_KEY|API_KEY|PRIVATE_KEY|STRIPE_SECRET|JWT_SECRET)="
|
|
name: env-secret
|
|
# must NOT be served as HTML (default 404 page)
|
|
- type: regex
|
|
part: header
|
|
regex:
|
|
- "(?i)content-type:\\s*text/html"
|
|
negative: true
|