AI PRP: Minio Weak credentials tester

google / tsunami-security-scanner-plugins

This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.

Apache License 2.0

860 stars 178 forks source link

AI PRP: Minio Weak credentials tester #478

Open JamesFoxxx opened 2 months ago

JamesFoxxx commented 2 months ago

there are multiple default Minio usernames and passwords in the documentation which they asked us to change, if admins forget to change the default credentials it'll be dangerous.

Minio Documentation: https://min.io/docs/minio/linux/operations/installation.html

maoning commented 1 month ago

@JamesFoxxx do you know if the auth can be verified against the MinIO API endpoint which is usually running at port 9000?

We noticed in the past that the MinIO dashboard is running at a random 5-digit port which is hard to always detect.

JamesFoxxx commented 1 month ago

I can work on this, from first glance it has a constant port with the docker setup at least :) https://min.io/docs/minio/container/index.html

JamesFoxxx commented 1 month ago

@maoning but I'm curious now about what you are asking because it is supposed to be that admins use the default setup instructions which contain the default user/password. By default setup instructions the ports are constant too.(minio server ~/minio --console-address :9001)