Git Credentials Disclosure
Searches for the pattern and log file on passed URLs.
Security Misconfiguration (SM)
How this template works
The template uses API selection filters to specify the criteria for selecting the API requests to be executed. In this case, it filters the requests based on the response code, ensuring that it is between 200 and 299, and extracts the URL from the response using the "urlVar" variable.
The template specifies a single request to be executed. It modifies the URL by appending "/.git-credentials" to the extracted URL. This request is sent to the modified URL to check for the presence of the .git-credentials file.
The template defines validation criteria to verify the response of the executed request. It checks that the response code is equal to 200, the response payload contains both "https://" and "@github.com", and the response headers do not contain the value "text/html". These validations ensure that the .git-credentials file is present and contains the expected sensitive information.
Frequently asked questions
What is the purpose of the Git Credentials Disclosure test
What are the potential impacts of disclosing Git credentials
What category and subcategory does the Git Credentials Disclosure vulnerability fall under
What are the validation criteria for a successful test execution
What are the API selection filters used in this test
How does the test modify the URL for the request