Yarn Lock File Disclosure

ID: yarn-lock

Severity: info

Author: oppsec,noraj

Tags: exposure,files,yarn

Description

The yarn.lock file stores the versions of each Yarn dependency installed. It’s a lock file for package.json.

YAML Source

id: yarn-lock

info:
  name: Yarn Lock File Disclosure
  author: oppsec,noraj
  severity: info
  description: |
    The yarn.lock file stores the versions of each Yarn dependency installed. It's a lock file for package.json.
  reference:
    - https://classic.yarnpkg.com/lang/en/docs/yarn-lock/
  metadata:
    max-request: 1
  tags: exposure,files,yarn

http:
  - method: GET
    path:
      - "{{BaseURL}}/yarn.lock"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY."
          - "# yarn lockfile v1"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100df0c38938e71a0357f9ff7dae8113ea46868d469c4f6d070cee711e9d0e5c34d022100ce60c16b5cf342b8370ad435829d8d3e50ccdbca5c674336abb44bb71924a58e:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/exposures/files/yarn-lock.yaml"

View on Github