id: composer-config

info:
  name: Composer Config - Detect
  author: Mahendra Purbia (Mah3Sec_)
  severity: info
  description: Composer configuration file detected.
  reference: https://getcomposer.org/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0.0
    cwe-id: CWE-200
  tags: config,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/composer.json"
      - "{{BaseURL}}/composer.lock"
      - "{{BaseURL}}/.composer/composer.json"
      - "{{BaseURL}}/vendor/composer/installed.json"

    matchers:
      - type: dsl
        name: composer.lock
        dsl:
          - "contains(body, 'packages') && contains(tolower(all_headers), 'application/octet-stream') && status_code == 200"

      - type: dsl
        name: composer.json
        dsl:
          - "contains(body, 'require') && contains(tolower(all_headers), 'application/json') && status_code == 200"

# Enhanced by mp on 2023/02/05