search

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
Apache License 2.0
860 stars 178 forks source link

PRP: Request Web Application Fingerprint - Apache Couchdb #397

Closed W0ngL1 closed 4 months ago

W0ngL1 commented 4 months ago

Hi there,

I would like to start the implementation for a web application fingerprint that detects the following software - Apache Couchdb.

Docker hub image: https://hub.docker.com/_/couchdb

I cannot find these fingerprints in this repository. So please let me know if this is in scope.

tooryx commented 4 months ago

Hi @W0ngL1,

You can start working on this fingerprints.

~tooryx

W0ngL1 commented 4 months ago

Thanks @tooryx, I'm working on it.

W0ngL1 commented 4 months ago

Hi @tooryx, I've tried today, and it seems that the latest version of couchdb cannot be fingerprinted by this way, all static files cannot be requested directly.

INFO: No new fingerprints found.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 25s
6 actionable tasks: 1 executed, 5 up-to-date
fingerprint updating failed

I tested with Solr, it works well #395. And next time I'll contribute other fingerprinters only after testing the latest working version.

INFO: Write data file to /root/solr_fingerprints/fingerprints/fingerprint.binproto.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 7.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/6.5/userguide/command_line_interface.html#sec:command_line_warnings

BUILD SUCCESSFUL in 5s
6 actionable tasks: 1 executed, 5 up-to-date
Fingerprint updated for Solr. Please commit the following file:
  /root/solr_fingerprints/fingerprints/fingerprint.binproto
tooryx commented 4 months ago

Hi @W0ngL1,

I do not have a lot of experience with CouchDB, but it does not seem to really be a web service but rather a database with an HTTP-like API. Maybe it does not make sense to add a fingerprint for it in the WebFingerprinter then, what do you think?

~tooryx

W0ngL1 commented 4 months ago

Hi @tooryx,

You're right. It does not make sense to add fingerprint for it. And sorry for wasting your time.

I used to think that couchdb is popular so it must have a GUI interface for users, like kibana and elasticsearch. But it's just a JSON-API.

Next time I'll contribute other fingerprinters only after testing the latest working version. And as mentioned in the previous comment, Solr can be fingerprinted. If you think it's in scope, I can start my work.

tooryx commented 4 months ago

Hi @W0ngL1,

No worries. Sorry that you invested time and it did not pay of. I will check the apache solr one.

~tooryx