id: rails-secret-token-disclosure

info:
  name: Ruby on Rails Secret Token Disclosure
  author: dhiyaneshDk
  severity: medium
  description: Ruby on Rals Secret Token file is exposed.
  reference:
    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/ruby-on-rails-secret-token-disclosure.json
  metadata:
    max-request: 1
  tags: exposure,files,rails,ruby,token

http:
  - method: GET
    path:
      - "{{BaseURL}}/config/initializers/secret_token.rb"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "secret_key_base ="
          - "config.secret_token ="
        part: body
        condition: and

      - type: status
        status:
          - 200
# digest: 490a004630440220264164d6e9f3b094caaf8923a3477584f9bf389e1969fc97dc4d8b52716bec96022073e4c657a0900d2466875ad2dcfea439352e7301d270d53213b25436a2c7d27c:922c64590222798bb761d5b6d8e72950