id: prometheus-flags info: name: Prometheus flags API endpoint author: geeknik severity: info description: The flags endpoint provides a full path to the configuration file. If the file is stored in the home directory, it may leak a username. reference: - https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/ metadata: max-request: 1 tags: prometheus,leak,misconfig http: - method: GET path: - "{{BaseURL}}/api/v1/status/flags" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - '"data":' - '"config.file":' condition: and - type: word part: header words: - 'application/json' extractors: - type: regex name: web_admin_enabled regex: - '\"web\.enable\-admin\-api\"\: \"true\"'