Skip to content
Nuclei Templates

Graylog REST API Endpoints - Exposure

ID: graylog-api-exposure

Severity: info

Author: Arqsz

Tags: tech,graylog,api,swagger,fuzz

Description

Section titled “Description”

Graylog is a centralized log management solution. According to the official documentation, it exposes multiple endpoints (some by default).

YAML Source

Section titled “YAML Source”
id: graylog-api-exposure


info:
  name: Graylog REST API Endpoints - Exposure
  author: Arqsz
  severity: info
  description: |
    Graylog is a centralized log management solution. According to the official documentation, it exposes multiple endpoints (some by default).
  reference:
    - https://go2docs.graylog.org/5-0/setting_up_graylog/rest_api.html
    - https://gist.github.com/asachs01/f1f317b2924a688deb8ed2520a4520bd
  classification:
    cpe: cpe:2.3:a:graylog:graylog:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 50
    vendor: graylog
    product: graylog
    shodan-query: Graylog
  tags: tech,graylog,api,swagger,fuzz


http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}/api/api-docs"
      - "{{BaseURL}}/api/api-browser"
      - "{{BaseURL}}/api/cluster"
      - "{{BaseURL}}/api/dashboards"
      - "{{BaseURL}}/api/events/definitions"
      - "{{BaseURL}}/api/events/definitions/validate"
      - "{{BaseURL}}/api/events/notifications/test"
      - "{{BaseURL}}/api/events/search"
      - "{{BaseURL}}/api/free-enterprise/license"
      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/checkSubscriptions"
      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/inputs"
      - "{{BaseURL}}/api/plugins/org.graylog.enterprise.integrations/office365/startSubscription"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/cloudwatch/log_groups"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/inputs"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_stream"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/auto_setup/create_subscription_policy"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/health_check"
      - "{{BaseURL}}/api/plugins/org.graylog.integrations/aws/kinesis/streams"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/archives/catalog/rebuild"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/backends"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.archive/cluster/archives/catalog/rebuild"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.collector/configurations"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.license/licenses/verify"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.report/reports"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/team-sync/test/backend"
      - "{{BaseURL}}/api/plugins/org.graylog.plugins.security/teams"
      - "{{BaseURL}}/api/scheduler/jobs"
      - "{{BaseURL}}/api/system/authentication/services/backends"
      - "{{BaseURL}}/api/system/authentication/services/test/backend/connection"
      - "{{BaseURL}}/api/system/authentication/services/test/backend/login"
      - "{{BaseURL}}/api/system"
      - "{{BaseURL}}/api/system/content_packs"
      - "{{BaseURL}}/api/system/indexer/cluster/health"
      - "{{BaseURL}}/api/system/indexer/cluster/name"
      - "{{BaseURL}}/api/system/debug/events/cluster"
      - "{{BaseURL}}/api/system/debug/events/local"
      - "{{BaseURL}}/api/system/jobs"
      - "{{BaseURL}}/api/system/pipelines/pipeline"
      - "{{BaseURL}}/api/system/pipelines/rule"
      - "{{BaseURL}}/api/system/urlwhitelist/check"
      - "{{BaseURL}}/api/system/urlwhitelist/generate_regex"
      - "{{BaseURL}}/api/views"
      - "{{BaseURL}}/api/views/fields"
      - "{{BaseURL}}/api/views/forValue"
      - "{{BaseURL}}/api/views/search/messages"
      - "{{BaseURL}}/api/views/search/metadata"
      - "{{BaseURL}}/api/views/search/sync"
      - "{{BaseURL}}/api/users"


    host-redirects: true
    stop-at-first-match: true


    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(header, 'X-Graylog-Node-Id', 'Graylog', 'graylog')"
          - "contains_any(body, 'X-Graylog-Node-Id', 'Graylog', 'graylog')"
          - "contains_any(body, 'swagger')"
        condition: and


      - type: dsl
        name: unauthorized-graylog-header
        dsl:
          - "status_code == 401"
          - "contains(header, 'X-Graylog-Node-Id') || contains(header, 'Graylog Server')"
        condition: and
# digest: 490a00463044022053d82cf7a7d0a179998c7a5b389e59b23ceebc8f4ee13805d680f2e4b3e2d91c02200310c52e405081f914a77c419f0fda17861f0c219bcbb3f113b525b2fb846584:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/technologies/graylog/graylog-api-exposure.yaml"

View on Github