id: debug-vars

info:
  name: Golang Expvar - Detect
  author: luqman
  severity: low
  description: Golang expvar function exposes multiple public variables via HTTP such as stack trace information and server operation counters.
  metadata:
    max-request: 1
  tags: go,debug,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/debug/vars"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"memstats":'
          - '"cmdline":'
        condition: and

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100e8e01368901ebc22b4dfc118084d0ad34fad1d956a8317c6addcad61f357e372022030260d85513e57f4bafab4ce1cea17bc90a36d4aaab76fcfa0c7cce378bfaf6c:922c64590222798bb761d5b6d8e72950