@soulofzephir/pi-skill-pentesting 1.0.0 โ 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -2
- package/skills/pentesting/SKILL.md +168 -224
- package/skills/pentesting/checklists/cors.md +183 -0
- package/skills/pentesting/checklists/exposed-files.md +311 -0
- package/skills/pentesting/checklists/graphql.md +375 -0
- package/skills/pentesting/checklists/jwt.md +225 -0
- package/skills/pentesting/tools/exposed-files-scan.ps1 +333 -0
- package/skills/pentesting/tools/exposed-files-scan.sh +291 -0
- package/skills/pentesting/tools/full-scan.ps1 +508 -0
- package/skills/pentesting/tools/full-scan.sh +454 -0
|
@@ -0,0 +1,183 @@
|
|
|
1
|
+
# CORS Security Checklist
|
|
2
|
+
|
|
3
|
+
## ๐ What is CORS?
|
|
4
|
+
|
|
5
|
+
Cross-Origin Resource Sharing (CORS) controls which domains can access resources from your site.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## โ ๏ธ Dangerous CORS Configurations
|
|
10
|
+
|
|
11
|
+
### โ Wildcard Origin (DANGEROUS)
|
|
12
|
+
```http
|
|
13
|
+
Access-Control-Allow-Origin: *
|
|
14
|
+
```
|
|
15
|
+
**Risk:** Any website can access your resources
|
|
16
|
+
|
|
17
|
+
### โ Multiple Origins with Null Origin
|
|
18
|
+
```http
|
|
19
|
+
Access-Control-Allow-Origin: null
|
|
20
|
+
Access-Control-Allow-Credentials: true
|
|
21
|
+
```
|
|
22
|
+
**Risk:** Can be exploited via sandboxed iframes
|
|
23
|
+
|
|
24
|
+
### โ Wildcard with Credentials
|
|
25
|
+
```http
|
|
26
|
+
Access-Control-Allow-Origin: *
|
|
27
|
+
Access-Control-Allow-Credentials: true
|
|
28
|
+
```
|
|
29
|
+
**Risk:** Invalid - browsers block this, but indicates misconfiguration
|
|
30
|
+
|
|
31
|
+
---
|
|
32
|
+
|
|
33
|
+
## โ
Secure CORS Configuration
|
|
34
|
+
|
|
35
|
+
### โ
Proper Config Example
|
|
36
|
+
```http
|
|
37
|
+
Access-Control-Allow-Origin: https://trusted-domain.com
|
|
38
|
+
Access-Control-Allow-Methods: GET, POST
|
|
39
|
+
Access-Control-Allow-Headers: Content-Type
|
|
40
|
+
Access-Control-Max-Age: 86400
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
### โ
Strict CSP as Backup
|
|
44
|
+
```http
|
|
45
|
+
Content-Security-Policy: frame-ancestors 'self'
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
|
|
50
|
+
## ๐งช Test Checklist
|
|
51
|
+
|
|
52
|
+
### 1. Basic CORS Check
|
|
53
|
+
```bash
|
|
54
|
+
# Check CORS headers
|
|
55
|
+
curl -I -s https://target.com | grep -iE "access-control"
|
|
56
|
+
|
|
57
|
+
# Test with Origin header
|
|
58
|
+
curl -I -s -H "Origin: https://evil.com" https://target.com | grep -iE "access-control"
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
### 2. Credential Leakage Test
|
|
62
|
+
```bash
|
|
63
|
+
# Test if credentials are exposed with arbitrary origin
|
|
64
|
+
curl -I -s -H "Origin: https://evil.com" \
|
|
65
|
+
-H "Cookie: session=abc123" \
|
|
66
|
+
https://target.com
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
### 3. JSON Hijacking Test
|
|
70
|
+
```javascript
|
|
71
|
+
// Test if sensitive data can be stolen
|
|
72
|
+
<script>
|
|
73
|
+
var req = new XMLHttpRequest();
|
|
74
|
+
req.onload = function() {
|
|
75
|
+
stealData(this.responseText);
|
|
76
|
+
};
|
|
77
|
+
req.open('GET', 'https://target.com/api/user/data', true);
|
|
78
|
+
req.withCredentials = true;
|
|
79
|
+
req.send();
|
|
80
|
+
</script>
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
## ๐ CORS Vulnerability Checklist
|
|
86
|
+
|
|
87
|
+
- [ ] `Access-Control-Allow-Origin: *` used?
|
|
88
|
+
- [ ] Credentials sent with wildcard origin?
|
|
89
|
+
- [ ] Sensitive endpoints allow CORS?
|
|
90
|
+
- [ ] `null` origin allowed?
|
|
91
|
+
- [ ] Internal IPs allowed as origin?
|
|
92
|
+
- [ ] Methods/Headers too permissive?
|
|
93
|
+
- [ ] CORS used as sole protection (should use auth)?
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## ๐ง Common Misconfigurations
|
|
98
|
+
|
|
99
|
+
| Misconfiguration | Risk | Fix |
|
|
100
|
+
|------------------|------|-----|
|
|
101
|
+
| `*` origin | ๐ด CRITICAL | Whitelist specific domains |
|
|
102
|
+
| `null` origin | ๐ด CRITICAL | Remove or restrict |
|
|
103
|
+
| All methods allowed | ๐ HIGH | Only allow needed methods |
|
|
104
|
+
| All headers allowed | ๐ HIGH | Only allow needed headers |
|
|
105
|
+
| Credentials with `*` | ๐ด CRITICAL | Never use together |
|
|
106
|
+
| No `Vary: Origin` | ๐ก MEDIUM | Required for dynamic origins |
|
|
107
|
+
|
|
108
|
+
---
|
|
109
|
+
|
|
110
|
+
## ๐จ Attack Scenarios
|
|
111
|
+
|
|
112
|
+
### 1. Data Theft via CORS
|
|
113
|
+
```
|
|
114
|
+
Attacker site โ CORS request to target.com โ Steals user data
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
### 2. Credential Hijacking
|
|
118
|
+
```
|
|
119
|
+
Attacker site โ CORS with credentials โ Access victim's account
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### 3. JSONP Hijacking
|
|
123
|
+
```
|
|
124
|
+
Target allows GET with * โ JSONP endpoint exposed
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
---
|
|
128
|
+
|
|
129
|
+
## ๐ก๏ธ Remediation
|
|
130
|
+
|
|
131
|
+
### Apache
|
|
132
|
+
```apache
|
|
133
|
+
Header set Access-Control-Allow-Origin "https://trusted.com"
|
|
134
|
+
Header set Access-Control-Allow-Methods "GET, POST"
|
|
135
|
+
Header set Access-Control-Allow-Credentials "true"
|
|
136
|
+
Header set Access-Control-Max-Age "86400"
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Nginx
|
|
140
|
+
```nginx
|
|
141
|
+
add_header Access-Control-Allow-Origin "https://trusted.com" always;
|
|
142
|
+
add_header Access-Control-Allow-Methods "GET, POST" always;
|
|
143
|
+
add_header Access-Control-Allow-Credentials "true" always;
|
|
144
|
+
add_header Access-Control-Max-Age "86400" always;
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### Node.js/Express
|
|
148
|
+
```javascript
|
|
149
|
+
app.use((req, res, next) => {
|
|
150
|
+
const allowedOrigins = ['https://trusted.com'];
|
|
151
|
+
const origin = req.headers.origin;
|
|
152
|
+
if (allowedOrigins.includes(origin)) {
|
|
153
|
+
res.setHeader('Access-Control-Allow-Origin', origin);
|
|
154
|
+
res.setHeader('Access-Control-Allow-Credentials', 'true');
|
|
155
|
+
}
|
|
156
|
+
res.setHeader('Access-Control-Allow-Methods', 'GET, POST');
|
|
157
|
+
next();
|
|
158
|
+
});
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## ๐ CORS Security Score
|
|
164
|
+
|
|
165
|
+
| Configuration | Score | Grade |
|
|
166
|
+
|---------------|-------|-------|
|
|
167
|
+
| No CORS headers | 0 | F |
|
|
168
|
+
| `*` without credentials | 30 | D |
|
|
169
|
+
| Wildcard + credentials attempt | 40 | D |
|
|
170
|
+
| Whitelist with credentials | 80 | B |
|
|
171
|
+
| Whitelist + strict CSP | 100 | A |
|
|
172
|
+
|
|
173
|
+
---
|
|
174
|
+
|
|
175
|
+
## ๐ ๏ธ Tools
|
|
176
|
+
|
|
177
|
+
```bash
|
|
178
|
+
# CORS Scanner
|
|
179
|
+
nmap --script=http-cors-headers target.com -p 443
|
|
180
|
+
|
|
181
|
+
# Manual test
|
|
182
|
+
# Browser DevTools > Network > Check "Origin" in request headers
|
|
183
|
+
```
|
|
@@ -0,0 +1,311 @@
|
|
|
1
|
+
# Exposed Files & Information Disclosure Checklist
|
|
2
|
+
|
|
3
|
+
## ๐ด High Risk Exposed Files
|
|
4
|
+
|
|
5
|
+
### 1. Configuration Files
|
|
6
|
+
|
|
7
|
+
| File | Risk | What to Check |
|
|
8
|
+
|------|------|--------------|
|
|
9
|
+
| `.env` | ๐ด CRITICAL | Database credentials, API keys, secrets |
|
|
10
|
+
| `.env.local` | ๐ด CRITICAL | Same as .env |
|
|
11
|
+
| `.env.production` | ๐ด CRITICAL | Production secrets |
|
|
12
|
+
| `wp-config.php` | ๐ด CRITICAL | WordPress DB + auth keys |
|
|
13
|
+
| `config.php` | ๐ด CRITICAL | PHP config with DB creds |
|
|
14
|
+
| `settings.py` | ๐ด CRITICAL | Django SECRET_KEY, DB |
|
|
15
|
+
| `config.js` | ๐ด CRITICAL | Node.js config |
|
|
16
|
+
| `application.properties` | ๐ด CRITICAL | Java/Spring config |
|
|
17
|
+
| `application.yml` | ๐ด CRITICAL | YAML config |
|
|
18
|
+
| `web.config` | ๐ HIGH | IIS config |
|
|
19
|
+
| `.htaccess` | ๐ HIGH | May reveal paths, rules |
|
|
20
|
+
| `.htpasswd` | ๐ด CRITICAL | HTTP auth hashes |
|
|
21
|
+
|
|
22
|
+
**Test Payloads:**
|
|
23
|
+
```
|
|
24
|
+
/.env
|
|
25
|
+
/.env
|
|
26
|
+
/.env.local
|
|
27
|
+
/.env.production
|
|
28
|
+
/.env.development
|
|
29
|
+
/.env.staging
|
|
30
|
+
/config.php
|
|
31
|
+
/settings.php
|
|
32
|
+
/config.js
|
|
33
|
+
/configuration.php
|
|
34
|
+
/wp-config.php
|
|
35
|
+
/wp-config.backup
|
|
36
|
+
/configuration.json
|
|
37
|
+
/application.properties
|
|
38
|
+
/application.yml
|
|
39
|
+
/web.config
|
|
40
|
+
/.htaccess
|
|
41
|
+
/.htpasswd
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
### 2. Git Repository Exposure
|
|
47
|
+
|
|
48
|
+
| Path | Risk | What to Check |
|
|
49
|
+
|------|------|--------------|
|
|
50
|
+
| `/.git/` | ๐ด CRITICAL | Full repository exposure |
|
|
51
|
+
| `/.git/config` | ๐ด CRITICAL | Repository remote, credentials |
|
|
52
|
+
| `/.git/HEAD` | ๐ HIGH | Branch information |
|
|
53
|
+
| `/.git/index` | ๐ด CRITICAL | File list |
|
|
54
|
+
| `/.git/logs/` | ๐ HIGH | Commit history |
|
|
55
|
+
| `/.git/description` | ๐ก MEDIUM | Repository description |
|
|
56
|
+
|
|
57
|
+
**Test Payloads:**
|
|
58
|
+
```
|
|
59
|
+
/.git/
|
|
60
|
+
/.git/config
|
|
61
|
+
/.git/HEAD
|
|
62
|
+
/.git/index
|
|
63
|
+
/.git/logs/HEAD
|
|
64
|
+
/.git/refs/heads/main
|
|
65
|
+
/.git/objects/
|
|
66
|
+
/.gitignore
|
|
67
|
+
/.git/COMMIT_EDITMSG
|
|
68
|
+
/.git/ORIG_HEAD
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
**Automated Tools:**
|
|
72
|
+
```bash
|
|
73
|
+
# Git Dumper
|
|
74
|
+
gitdumper https://target.com/.git/ /outputdir/
|
|
75
|
+
|
|
76
|
+
# GitTools
|
|
77
|
+
gitdumper.sh https://target.com/.git/ output/
|
|
78
|
+
|
|
79
|
+
# Manual check
|
|
80
|
+
curl https://target.com/.git/config
|
|
81
|
+
```
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
### 3. Backup Files
|
|
86
|
+
|
|
87
|
+
| File Pattern | Risk | Description |
|
|
88
|
+
|--------------|------|-------------|
|
|
89
|
+
| `*.zip` | ๐ด CRITICAL | Compressed backups |
|
|
90
|
+
| `*.tar` | ๐ด CRITICAL | Archive backups |
|
|
91
|
+
| `*.tar.gz` | ๐ด CRITICAL | Gzip archives |
|
|
92
|
+
| `*.sql` | ๐ด CRITICAL | Database dumps |
|
|
93
|
+
| `*.bak` | ๐ HIGH | File backups |
|
|
94
|
+
| `*.backup` | ๐ HIGH | Backup copies |
|
|
95
|
+
| `*.old` | ๐ก MEDIUM | Old versions |
|
|
96
|
+
| `*.tmp` | ๐ก MEDIUM | Temp files |
|
|
97
|
+
| `*~` | ๐ก MEDIUM | Vim/Editor backups |
|
|
98
|
+
| `*.swp` | ๐ก MEDIUM | Vim swap files |
|
|
99
|
+
|
|
100
|
+
**Test Payloads:**
|
|
101
|
+
```
|
|
102
|
+
/backup.zip
|
|
103
|
+
/backups.zip
|
|
104
|
+
/database.zip
|
|
105
|
+
/db.sql
|
|
106
|
+
/database.sql
|
|
107
|
+
/dump.sql
|
|
108
|
+
/backup.sql
|
|
109
|
+
/site.tar.gz
|
|
110
|
+
/website.tar
|
|
111
|
+
/www.zip
|
|
112
|
+
/backup.tar
|
|
113
|
+
/backup/
|
|
114
|
+
/backups/
|
|
115
|
+
/db/
|
|
116
|
+
/database/
|
|
117
|
+
/old/
|
|
118
|
+
/temp/
|
|
119
|
+
/tmp/
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
### 4. Admin & Debug Panels
|
|
125
|
+
|
|
126
|
+
| Path | Risk | Description |
|
|
127
|
+
|------|------|-------------|
|
|
128
|
+
| `/admin/` | ๐ HIGH | Admin panel |
|
|
129
|
+
| `/wp-admin/` | ๐ HIGH | WordPress admin |
|
|
130
|
+
| `/administrator/` | ๐ HIGH | Joomla admin |
|
|
131
|
+
| `/phpmyadmin/` | ๐ด CRITICAL | Database UI |
|
|
132
|
+
| `/pma/` | ๐ด CRITICAL | phpMyAdmin alias |
|
|
133
|
+
| `/mysql/` | ๐ด CRITICAL | MySQL admin |
|
|
134
|
+
| `/sqlmanager/` | ๐ด CRITICAL | SQL management |
|
|
135
|
+
| `/debug/` | ๐ด CRITICAL | Debug mode |
|
|
136
|
+
| `/api/debug/` | ๐ด CRITICAL | API debug |
|
|
137
|
+
| `/console/` | ๐ HIGH | Debug console |
|
|
138
|
+
| `/debug.php` | ๐ด CRITICAL | Debug script |
|
|
139
|
+
| `/test.php` | ๐ HIGH | Test script |
|
|
140
|
+
| `/info.php` | ๐ HIGH | PHP info |
|
|
141
|
+
| `/phpinfo.php` | ๐ HIGH | PHP info |
|
|
142
|
+
|
|
143
|
+
**Test Payloads:**
|
|
144
|
+
```
|
|
145
|
+
/admin/
|
|
146
|
+
/wp-admin/
|
|
147
|
+
/administrator/
|
|
148
|
+
/backend/
|
|
149
|
+
/manage/
|
|
150
|
+
/management/
|
|
151
|
+
/phpmyadmin/
|
|
152
|
+
/pma/
|
|
153
|
+
/mysql/
|
|
154
|
+
/sqlmanager/
|
|
155
|
+
/debug/
|
|
156
|
+
/api/debug/
|
|
157
|
+
/console/
|
|
158
|
+
/debug.php
|
|
159
|
+
/test.php
|
|
160
|
+
/info.php
|
|
161
|
+
/phpinfo.php
|
|
162
|
+
/health
|
|
163
|
+
/actuator
|
|
164
|
+
/actuator/health
|
|
165
|
+
/actuator/env
|
|
166
|
+
/actuator/info
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
### 5. Spring Boot Actuator
|
|
172
|
+
|
|
173
|
+
| Endpoint | Risk | Information |
|
|
174
|
+
|----------|------|------------|
|
|
175
|
+
| `/actuator/` | ๐ HIGH | Actuator base |
|
|
176
|
+
| `/actuator/env` | ๐ด CRITICAL | Environment variables |
|
|
177
|
+
| `/actuator/heapdump` | ๐ด CRITICAL | Heap dump (credentials) |
|
|
178
|
+
| `/actuator/threaddump` | ๐ HIGH | Thread info |
|
|
179
|
+
| `/actuator/metrics` | ๐ HIGH | Application metrics |
|
|
180
|
+
| `/actuator/logfile` | ๐ HIGH | Log file access |
|
|
181
|
+
| `/actuator/configprops` | ๐ด CRITICAL | Configuration properties |
|
|
182
|
+
|
|
183
|
+
---
|
|
184
|
+
|
|
185
|
+
### 6. API Documentation
|
|
186
|
+
|
|
187
|
+
| Path | Risk | Information |
|
|
188
|
+
|------|------|-------------|
|
|
189
|
+
| `/swagger/` | ๐ HIGH | Swagger UI |
|
|
190
|
+
| `/swagger-ui/` | ๐ HIGH | Swagger documentation |
|
|
191
|
+
| `/swagger-ui.html` | ๐ HIGH | Swagger HTML |
|
|
192
|
+
| `/api-docs/` | ๐ HIGH | API documentation |
|
|
193
|
+
| `/v2/api-docs/` | ๐ HIGH | OpenAPI v2 |
|
|
194
|
+
| `/v3/api-docs/` | ๐ HIGH | OpenAPI v3 |
|
|
195
|
+
| `/graphiql/` | ๐ HIGH | GraphQL IDE |
|
|
196
|
+
| `/graphql` | ๐ HIGH | GraphQL endpoint |
|
|
197
|
+
| `/api/` | ๐ก MEDIUM | API base path |
|
|
198
|
+
| `/api/v1/` | ๐ก MEDIUM | API versioned |
|
|
199
|
+
|
|
200
|
+
---
|
|
201
|
+
|
|
202
|
+
### 7. Log Files
|
|
203
|
+
|
|
204
|
+
| Path | Risk | Information |
|
|
205
|
+
|------|------|-------------|
|
|
206
|
+
| `/logs/` | ๐ HIGH | Directory listing |
|
|
207
|
+
| `/error.log` | ๐ HIGH | Error messages |
|
|
208
|
+
| `/access.log` | ๐ HIGH | Access history |
|
|
209
|
+
| `/debug.log` | ๐ HIGH | Debug logs |
|
|
210
|
+
| `/console.log` | ๐ก MEDIUM | Console output |
|
|
211
|
+
| `/application.log` | ๐ HIGH | App logs |
|
|
212
|
+
|
|
213
|
+
---
|
|
214
|
+
|
|
215
|
+
### 8. Information Disclosure Files
|
|
216
|
+
|
|
217
|
+
| Path | Risk | Information |
|
|
218
|
+
|------|------|-------------|
|
|
219
|
+
| `/robots.txt` | ๐ก MEDIUM | Reveals hidden paths |
|
|
220
|
+
| `/sitemap.xml` | ๐ก MEDIUM | Site structure |
|
|
221
|
+
| `/security.txt` | ๐ก MEDIUM | Security contact |
|
|
222
|
+
| `/crossdomain.xml` | ๐ก MEDIUM | Flash policy |
|
|
223
|
+
| `/clientaccesspolicy.xml` | ๐ก MEDIUM | Silverlight policy |
|
|
224
|
+
| `/humans.txt` | ๐ก MEDIUM | Developer info |
|
|
225
|
+
| `/server-status` | ๐ด CRITICAL | Apache status |
|
|
226
|
+
| `/server-info` | ๐ HIGH | Server details |
|
|
227
|
+
|
|
228
|
+
---
|
|
229
|
+
|
|
230
|
+
## ๐ Quick Test Commands
|
|
231
|
+
|
|
232
|
+
### cURL-based Check
|
|
233
|
+
```bash
|
|
234
|
+
#!/bin/bash
|
|
235
|
+
TARGET=$1
|
|
236
|
+
echo "Checking exposed files for: $TARGET"
|
|
237
|
+
|
|
238
|
+
PATHS=(
|
|
239
|
+
"/.env"
|
|
240
|
+
"/.git/config"
|
|
241
|
+
"/.git/HEAD"
|
|
242
|
+
"/wp-config.php"
|
|
243
|
+
"/config.php"
|
|
244
|
+
"/backup.zip"
|
|
245
|
+
"/database.sql"
|
|
246
|
+
"/admin/"
|
|
247
|
+
"/debug/"
|
|
248
|
+
"/phpmyadmin/"
|
|
249
|
+
"/actuator/env"
|
|
250
|
+
"/swagger-ui/"
|
|
251
|
+
)
|
|
252
|
+
|
|
253
|
+
for path in "${PATHS[@]}"; do
|
|
254
|
+
STATUS=$(curl -s -o /dev/null -w "%{http_code}" "$TARGET$path")
|
|
255
|
+
if [ "$STATUS" != "404" ] && [ "$STATUS" != "000" ]; then
|
|
256
|
+
echo "โ ๏ธ FOUND: $path (HTTP $STATUS)"
|
|
257
|
+
fi
|
|
258
|
+
done
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
### PowerShell Check
|
|
262
|
+
```powershell
|
|
263
|
+
$target = "https://target.com"
|
|
264
|
+
$paths = @(
|
|
265
|
+
"/.env", "/.git/config", "/.git/HEAD",
|
|
266
|
+
"/wp-config.php", "/config.php",
|
|
267
|
+
"/backup.zip", "/database.sql",
|
|
268
|
+
"/admin/", "/debug/", "/phpmyadmin/",
|
|
269
|
+
"/actuator/env", "/swagger-ui/"
|
|
270
|
+
)
|
|
271
|
+
|
|
272
|
+
foreach ($path in $paths) {
|
|
273
|
+
try {
|
|
274
|
+
$resp = Invoke-WebRequest -Uri "$target$path" -Method Head -TimeoutSec 5 -ErrorAction SilentlyContinue
|
|
275
|
+
if ($resp.StatusCode -ne 404) {
|
|
276
|
+
Write-Host "โ ๏ธ FOUND: $path (HTTP $($resp.StatusCode))" -ForegroundColor Yellow
|
|
277
|
+
}
|
|
278
|
+
} catch {}
|
|
279
|
+
}
|
|
280
|
+
```
|
|
281
|
+
|
|
282
|
+
---
|
|
283
|
+
|
|
284
|
+
## ๐ Risk Scoring
|
|
285
|
+
|
|
286
|
+
| Finding | Score | Action |
|
|
287
|
+
|---------|-------|--------|
|
|
288
|
+
| `.env` exposed | 10 | Critical - Immediate fix |
|
|
289
|
+
| `.git/` directory | 9 | Critical - Immediate fix |
|
|
290
|
+
| Database dump | 10 | Critical - Immediate fix |
|
|
291
|
+
| phpMyAdmin | 8 | High - Restrict access |
|
|
292
|
+
| Debug mode | 8 | High - Disable debug |
|
|
293
|
+
| Actuator env | 9 | Critical - Disable env endpoint |
|
|
294
|
+
| Swagger UI | 5 | Medium - Add auth |
|
|
295
|
+
| Log files | 6 | Medium - Restrict access |
|
|
296
|
+
| robots.txt | 2 | Low - Informational |
|
|
297
|
+
|
|
298
|
+
---
|
|
299
|
+
|
|
300
|
+
## ๐ก๏ธ Remediation Checklist
|
|
301
|
+
|
|
302
|
+
- [ ] Block `.env` access in web server config
|
|
303
|
+
- [ ] Block `.git/` directory listing
|
|
304
|
+
- [ ] Remove backup files from web root
|
|
305
|
+
- [ ] Protect admin panels with IP restriction
|
|
306
|
+
- [ ] Disable debug mode in production
|
|
307
|
+
- [ ] Secure Spring Boot actuator endpoints
|
|
308
|
+
- [ ] Add authentication to API documentation
|
|
309
|
+
- [ ] Disable directory listing
|
|
310
|
+
- [ ] Remove test/debug files
|
|
311
|
+
- [ ] Configure security headers
|