id: appsettings-file-disclosure info: name: Application Setting file disclosure author: DhiyaneshDK,tess severity: high description: | appsetting.json file discloses the DB connection strings containing sensitive information. reference: - https://twitter.com/hacker_/status/1518003548855930882?s=20&t=BVauK0yUjVl5yL7rwy0Eag metadata: verified: true tags: exposure,files requests: - method: GET path: - "{{BaseURL}}/appsettings.json" - "{{BaseURL}}/appsettings.Production.json" stop-at-first-match: true matchers-condition: and matchers: - type: word words: - "ConnectionStrings" - type: word part: header words: - "application/json" - type: status status: - 200