2023-09-22 22:14:26 +00:00
|
|
|
|
id: vercel-source-exposure
|
2023-09-23 09:41:29 +00:00
|
|
|
|
|
2023-09-22 22:06:28 +00:00
|
|
|
|
info:
|
2023-09-22 22:16:24 +00:00
|
|
|
|
name: Vercel Source Code Exposure
|
2023-09-22 22:06:28 +00:00
|
|
|
|
author: hlop
|
|
|
|
|
|
severity: medium
|
2023-09-23 09:41:29 +00:00
|
|
|
|
description: |
|
|
|
|
|
|
The Vercel Source Code Exposure misconfiguration allows an attacker to access sensitive source code files on the Vercel platform.
|
2023-10-14 11:27:55 +00:00
|
|
|
|
reference:
|
|
|
|
|
|
- https://vercel.com/docs/projects/overview#logs-and-source-protection
|
2023-09-23 09:41:29 +00:00
|
|
|
|
metadata:
|
2023-10-14 11:27:55 +00:00
|
|
|
|
max-request: 1
|
2023-09-23 09:41:29 +00:00
|
|
|
|
fofa-query: cname_domain="vercel.app" || icon_hash="-2070047203"
|
2023-09-22 22:06:28 +00:00
|
|
|
|
tags: vercel,exposure,misconfig
|
|
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
|
- method: GET
|
|
|
|
|
|
path:
|
|
|
|
|
|
- "{{BaseURL}}/_src"
|
2023-09-23 09:41:29 +00:00
|
|
|
|
|
2023-09-22 22:06:28 +00:00
|
|
|
|
redirects: true
|
|
|
|
|
|
max-redirects: 3
|
2023-10-14 11:27:55 +00:00
|
|
|
|
|
2023-09-22 22:06:28 +00:00
|
|
|
|
matchers-condition: and
|
|
|
|
|
|
matchers:
|
2023-09-23 09:41:29 +00:00
|
|
|
|
- type: word
|
|
|
|
|
|
part: body
|
|
|
|
|
|
words:
|
|
|
|
|
|
- "Deployment Source</title>"
|
|
|
|
|
|
- "Deployment Source – Dashboard – Vercel"
|
|
|
|
|
|
condition: or
|
|
|
|
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
|
|
part: body
|
|
|
|
|
|
words:
|
|
|
|
|
|
- "<title>Login – Vercel</title>"
|
|
|
|
|
|
negative: true
|
2023-10-20 11:41:13 +00:00
|
|
|
|
|
|
|
|
|
|
# digest: 4b0a00483046022100d755b980bf15a207f2e014f51819babff9571cba19d3637c6bd30ca99689152e022100e62fc4eceda91db3889373a7f38460633952c9d1ef102ce59ffcc5840d6330f0:922c64590222798bb761d5b6d8e72950
|
