Merge pull request #6480 from noraj/noraj/packages

node.js package manager update

contributors.json

@@ -1380,6 +1380,15 @@
         }
     },
     {
+        "author": "noraj",
+        "links": {
+            "github": "https://github.com/noraj",
+            "twitter": "https://twitter.com/noraj_rawsec",
+            "linkedin": "",
+            "website": "https://pwn.by/noraj",
+            "email": ""
+        }
+    },{
         "author": "mabdullah22",
         "links": {
             "github": "https://www.github.com/maabdullah22",
@@ -1389,5 +1398,4 @@
             "email": ""
         }
     }
-
-]
+]

http/exposures/configs/package-json.yaml

@@ -1,18 +1,19 @@
 id: package-json
 
 info:
-  name: npm Config - Detect
-  author: geeknik,afaq
+  name: NPM package.json Disclosure
+  author: geeknik,afaq,noraj
   severity: info
-  description: npm configuration information was detected. All npm packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project.
-  reference: https://www.npmjs.com
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
-    cvss-score: 0.0
-    cwe-id: CWE-200
-  tags: config,exposure
+  description: |
+    All NodeJS packages contain a file, usually in the project root, called package.json - this file holds various metadata relevant to the project generated by package managers such as npm, yarn, pnpm.
+  reference:
+    - https://docs.npmjs.com/cli/v9/configuring-npm/package-json
+    - https://classic.yarnpkg.com/lang/en/docs/package-json/
+    - https://pnpm.io/package_json
   metadata:
     max-request: 2
+    verified: true
+  tags: config,exposure,node,npm
 
 http:
   - method: GET
@@ -29,12 +30,10 @@ http:
         condition: and
 
       - type: word
+        part: header
         words:
           - "application/json"
-        part: header
 
       - type: status
         status:
-          - 200
-
-# Enhanced by mp on 2023/02/05
+          - 200

http/exposures/files/bower-json.yaml

@@ -1,13 +1,14 @@
 id: bower-json
 
 info:
-  name: bower.json file disclosure
-  author: oppsec
+  name: bower.json File Disclosure
+  author: oppsec,noraj
   severity: info
-  description: Bower is a package manager which stores package information in the bower.json file
-  tags: exposure,files
-  metadata:
-    max-request: 1
+  description: |
+    Bower is a package manager which stores package information in the bower.json file
+  reference:
+    - https://github.com/bower/spec/blob/master/json.md
+  tags: exposure,files,bower
 
 http:
   - method: GET
@@ -17,6 +18,7 @@ http:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "name"
           - "description"
@@ -24,10 +26,10 @@ http:
         condition: and
 
       - type: word
+        part: header
         words:
           - "application/json"
-        part: header
 
       - type: status
         status:
-          - 200
+          - 200

http/exposures/files/npm-shrinkwrap-exposure.yaml

@@ -2,13 +2,17 @@ id: npm-shrinkwrap-exposure
 
 info:
   name: Node Shrinkwrap Exposure
-  author: DhiyaneshDk
+  author: DhiyaneshDk,noraj
   severity: info
+  description: |
+    A file created by npm shrinkwrap. It is identical to package-lock.json.
+  reference:
+    - https://docs.npmjs.com/cli/v9/configuring-npm/npm-shrinkwrap-json
   metadata:
-    max-request: 1
     verified: true
+    max-request: 1
     shodan-query: html:"npm-shrinkwrap.json"
-  tags: config,exposure,npm,files
+  tags: config,exposure,npm,files,node
 
 http:
   - method: GET
@@ -30,4 +34,4 @@ http:
 
       - type: status
         status:
-          - 200
+          - 200

http/exposures/files/pnpm-lock.yaml

@@ -0,0 +1,34 @@
+id: pnpm-lock
+
+info:
+  name: PNPM Lock Yaml File Disclosure
+  author: noraj
+  severity: info
+  description: |
+    The pnpm-lock.yaml file is similar to the package-lock.json file used by npm or the yarn.lock file used by Yarn. It serves as a lock file that ensures consistent and reproducible installations of dependencies across different environments.
+  reference:
+    - https://pnpm.io/cli/install#tldr
+  metadata:
+    max-request: 1
+    verified: true
+    shodan-query: html:"pnpm-lock.yaml"
+  tags: exposure,files,node,npm,pnpm
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/pnpm-lock.yaml"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "lockfileVersion:"
+          - "specifiers:"
+          - "packages:"
+        condition: and
+
+      - type: status
+        status:
+          - 200

http/exposures/files/yarn-lock.yaml

@@ -1,15 +1,17 @@
 id: yarn-lock
 
 info:
-  name: yarn lock file disclosure
-  author: oppsec
+  name: Yarn Lock File Disclosure
+  author: oppsec,noraj
   severity: info
-  description: The yarn.lock file stores the versions of each Yarn dependency installed.
-  tags: exposure,files
-  metadata:
-    max-request: 1
+  description: |
+    The yarn.lock file stores the versions of each Yarn dependency installed. It's a lock file for package.json.
+  reference:
+    - https://classic.yarnpkg.com/lang/en/docs/yarn-lock/
+  tags: exposure,files,yarn
 
 http:
+
   - method: GET
     path:
       - "{{BaseURL}}/yarn.lock"
@@ -17,15 +19,16 @@ http:
     matchers-condition: and
     matchers:
       - type: word
+        part: body
         words:
           - "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY."
           - "# yarn lockfile v1"
         condition: and
 
       - type: word
+        part: header
         words:
           - "text/html"
-        part: header
 
       - type: status
         status: