id: npmrc-authtoken

info:
  name: Hardcoded .npmrc AuthToken
  author: geeknik
  severity: info
  reference:
    - https://docs.npmjs.com/cli/v8/configuring-npm/npmrc
    - https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry
  metadata:
    verified: true
    max-request: 1
    google-query: intitle:"index of" ".npmrc"
  tags: npm,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/.npmrc"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "_authToken="
          - "_auth="
        condition: or

      - type: word
        part: header
        words:
          - "text/html"
          - "application/javascript"
          - "application/json"
        negative: true

      - type: status
        status:
          - 200

# digest: 4b0a0048304602210098621df2f21f1e55d5f886ffa335c061b6b700f20ff390868f03acea716bf621022100b14a16b8048248ba2b1e60e2200cd0dfce51d296f3bd6e7f57317e5ec0bc95d7:922c64590222798bb761d5b6d8e72950