json-web-services-api<\\/title>.*" - type: word part: header words: - "text/html" - type: status status: - 200 # digest: 4b0a00483046022100c04b1fa69c1e83b856f13dd449760aaa26a18fe39ac690f5e94a44ea7f60fb00022100c86817556b46fab3d595d843b77926c4f6656e9ab9d8df2fffad5af2c6f9b7fd:922c64590222798bb761d5b6d8e72950

id: liferay-jsonws

info:
  name: Liferay /api/jsonws - API Exposed
  author: DhiyaneshDk
  severity: low
  description: Liferay /api/jsonws - API is Exposed.
  reference:
    - https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/LiferayAPI.java
    - https://liferay.dev/blogs/-/blogs/securing-the-api-jsonws-ui?_com_liferay_blogs_web_portlet_BlogsPortlet_showFlags=true&scroll=_com_liferay_blogs_web_portlet_BlogsPortlet_discussionContainer
  metadata:
    verified: true
    max-request: 1
    shodan-query: title:"Liferay"
  tags: liferay,exposure,api,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/jsonws"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - ".*<title>json-web-services-api<\\/title>.*"

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100c04b1fa69c1e83b856f13dd449760aaa26a18fe39ac690f5e94a44ea7f60fb00022100c86817556b46fab3d595d843b77926c4f6656e9ab9d8df2fffad5af2c6f9b7fd:922c64590222798bb761d5b6d8e72950