|
1 | | -## Summary |
2 | | -This module detects publicly exposed **ReDoc** API documentation pages. |
3 | | -It performs safe, read-only HTTP GET requests and reports likely ReDoc instances based on common HTML markers. |
| 1 | +## ReDoc API Docs UI Exposed |
4 | 2 |
|
5 | | -## Module name |
6 | | -`auxiliary/scanner/http/redoc_exposed` |
| 3 | +Detects publicly exposed ReDoc API documentation pages by looking for known DOM elements, script names, and titles. The module is read-only and makes safe GET requests. |
7 | 4 |
|
8 | | -## Options |
9 | | -* **RPORT** – Target TCP port (default: 80) |
10 | | -* **SSL** – Enable TLS (default: false) |
11 | | -* **REDOC_PATHS** – Optional comma-separated list of paths to probe. When unset, the module probes: `/redoc, /redoc/, /docs, /api/docs, /openapi`. |
| 5 | +### Module Options |
12 | 6 |
|
13 | | -## Verification steps |
14 | | -1. Start `msfconsole` |
15 | | -2. `use auxiliary/scanner/http/redoc_exposed` |
16 | | -3. `set RHOSTS <target or file:/path/to/targets.txt>` |
17 | | -4. (Optional) `set REDOC_PATHS /redoc,/docs` |
18 | | -5. (Optional) `set RPORT <port>` and/or `set SSL true` |
19 | | -6. `run` |
20 | | - |
21 | | -### Expected |
| 7 | +* **RHOSTS** (required): Target address range or CIDR identifier. |
| 8 | +* **RPORT**: Default `80` (overridable via `DefaultOptions` or at runtime). |
| 9 | +* **SSL**: HTTPS support is registered by default (set if needed). |
| 10 | +* **REDOC_PATHS**: Comma-separated custom paths to probe. If unset, defaults to: |
| 11 | + `/redoc,/redoc/,/docs,/api/docs,/openapi`. |
22 | 12 |
|
23 | | -`[+] <ip> - ReDoc likely exposed at <path>` |
| 13 | +### Verification Steps |
24 | 14 |
|
25 | | -### Scanning notes |
26 | | -- DOM-driven checks via `get_html_document`: |
27 | | - - `<redoc>` / `redoc-` custom elements |
28 | | - - `#redoc` container |
29 | | - - `<script src="...redoc(.standalone).js">` |
30 | | -- Falls back to body/title heuristics if DOM parsing is unavailable. |
31 | | -- No intrusive actions; **read-only** HTTP GET requests only. |
32 | | - |
33 | | -### Example session |
| 15 | +1. Start `msfconsole`. |
| 16 | +2. `use auxiliary/scanner/http/redoc_exposed` |
| 17 | +3. `set RHOSTS <target-or-range>` |
| 18 | +4. (Optional) `set REDOC_PATHS /redoc,/docs` |
| 19 | +5. (Optional) `set SSL true` |
| 20 | +6. `run` |
34 | 21 |
|
35 | | -use auxiliary/scanner/http/redoc_exposed |
36 | | -set RHOSTS 127.0.0.1 |
37 | | -set RPORT 8001 |
38 | | -set SSL false |
39 | | -run |
| 22 | +### Scenarios |
| 23 | +```text |
| 24 | +msf6 > use auxiliary/scanner/http/redoc_exposed |
| 25 | +msf6 auxiliary(scanner/http/redoc_exposed) > set RHOSTS 192.0.2.0/24 |
| 26 | +msf6 auxiliary(scanner/http/redoc_exposed) > run |
| 27 | +[+] 192.0.2.15 - ReDoc likely exposed at /docs |
| 28 | +[*] 192.0.2.23 - no ReDoc found |
| 29 | +``` |
| 30 | +### Notes |
| 31 | + |
| 32 | +* **Stability**: `CRASH_SAFE` (GET requests only). |
| 33 | +* **Reliability**: No session creation. |
| 34 | +* **SideEffects**: Requests may appear in server logs (`IOC_IN_LOGS` if applicable). |
0 commit comments