id: prometheus-flags

info:
  name: Prometheus flags API endpoint
  author: geeknik
  severity: info
  description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username.
  reference:
    - https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/
  metadata:
    max-request: 1
  tags: prometheus,leak,misconfig

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/status/flags"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - '"data":'
          - '"config.file":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

    extractors:
      - type: regex
        name: web_admin_enabled
        regex:
          - '\"web\.enable\-admin\-api\"\: \"true\"'

# digest: 4a0a0047304502202c5944a52cbb910d5ffd4741d3ba1a58127d71e530f255fe5f73088f89dd0b85022100edabee72ec909322a77a427a2993c093e689912eca5f3d1fcce72bb80f074314:922c64590222798bb761d5b6d8e72950