Module Todo: Dirbust Common Sensitive Files

[TheTechromancer]

We should ask chatgpt what the top twenty or so sensitive files found in a webroot, and check for them. This would enable us to find "easy wins" at scale without running a full dirbust or nuclei scan.

Prerequisites:

• Helperize dirbusting (i.e. convert ffuf to a helper)

Alternatively, these could probably be made into nuclei templates and tagged collectively as sensitive-files or something similar. There might already be a category like this.

Examples of file candidates include:

• web.config.bak
• .wp-config.php.swp
• .git

Courtesy of chatgpt:

1. wp-config.php - The main configuration file for WordPress. Contains database credentials, security keys, and other settings.

2. web.config - Configuration file for Microsoft IIS-based applications. May contain database credentials and other sensitive application settings.

3. app.config - Similar to web.config, but typically used for desktop .NET applications. Can also be found in web applications.

4. .env - Environment configuration file often used with PHP (Laravel), Python (Django, Flask), Ruby (Rails), and Node.js (Express) applications. Typically contains various credentials and API keys.

5. .git/config - Contains repository configuration data, including remote repository URLs which could expose infrastructure details or credentials if remotes are accessed over HTTP Basic Authentication.

6. database.yml - This is the standard configuration file for databases in Ruby on Rails applications. It includes database names, usernames, and passwords.

7. settings.py - In Django, a Python web framework, this file contains many settings including database connection information, secret key, and debug status.

8. .htpasswd - Contains usernames and password hashes for basic authentication of HTTP users.

9. prod.secret.exs - This file is used in Phoenix, a popular web framework built with Elixir, to store production secrets such as database passwords, secret keys, and API credentials.

10. secret_token.rb - In Ruby on Rails, this file is used to set your secret key, which is used to verify the integrity of signed cookies.

11. carrierwave.rb - This initializer file is used with the CarrierWave gem in Ruby applications for file uploads. It may contain sensitive information like Amazon S3 access keys and secrets for storing files in S3 buckets.

12. master.key or credentials.yml.enc - In Ruby on Rails, these files are used to store production app secrets. If both files are obtained, an attacker can decrypt all the secrets.

13. Web.*.config - These are transformation config files in ASP.NET used when deploying applications. They can contain sensitive information meant for the production environment.

14. mongo-config.conf - Configuration file for MongoDB databases, may contain sensitive details such as credentials, replica set specifications, and more.

15. settings.xml - Maven settings file (Java), which can contain server configurations, including usernames and passwords.

16. service-account.json - Typical name for Google Cloud service account files, which contain keys that can grant access to various Google Cloud services.

17. config/database.yml - Another database configuration file, typically in Ruby on Rails, that contains credentials to the database.

18. parameters.yml, parameters.ini, parameters.xml - In Symfony (PHP framework), these files are used to store per-environment settings, including database credentials, mailer parameters, and secret tokens.

19. LocalSettings.php - Configuration file for MediaWiki installations, typically contains database credentials and other sensitive settings.

20. config/secrets.yml - In Ruby on Rails, this file is used to store application secrets. Can contain credentials for external services and encryption keys.

[liquidsec]

pending ffuf helper (or compatible solution)