-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathContainers Endpoint Exposed.bcheck
More file actions
56 lines (52 loc) · 1.82 KB
/
Containers Endpoint Exposed.bcheck
File metadata and controls
56 lines (52 loc) · 1.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
metadata:
language: v2-beta
name: "Containers Endpoint Exposed"
description: "Containers endpoints that have been exposed"
author: "Kaustubh"
run for each:
potential_path =
"/Dockerrun.aws.json",
"/v1.24/containers/json",
"/v1.24/images/json",
"/v1.24/version",
"/Dockerfile",
"/docker-compose.yml",
"/api/v1/nodes",
"/pods",
"/metrics",
"/api/v1/namespaces/kube-system/services/kubernetes-dashboard:/proxy/",
"/ecs-agent/v1/metadata",
"/ecs-agent/v1/tasks",
"/computeMetadata/v1/",
"/computeMetadata/v1/instance",
"/computeMetadata/v1/project",
"/metadata/instance",
"/etc/hosts",
"/etc/resolv.conf",
"/etc/environment",
"/var/log/",
"/proc/self/cgroup",
"/sys/fs/cgroup",
"/etc/passwd",
"/etc/shadow",
"/root/.ssh/",
"/var/lib/docker/",
"/run/secrets/"
given host then
send request called check:
method: "GET"
path: {potential_path}
if {check.response.status_code} is "200" then
# Compare against a random garbage path to rule out soft-404 pages that return
# 200 for every URL (would otherwise produce a false positive for every path).
send request called garbage:
method: "GET"
path: `/{random_str(16)}`
if {garbage} differs from {check} then
report issue and continue:
severity: high
confidence: firm
detail: `Container or infrastructure endpoint exposed at {potential_path}. Verify the response content manually.`
remediation: "Restrict access to container management endpoints. These paths should never be reachable from the internet."
end if
end if