id: node-ecstatic-listing

info:
  name: Node ecstatic Directory Listing
  author: DhiyaneshDK
  severity: low
  description: Directiory listing enabled in Node ecstatic.
  reference:
    - https://tripla.dk/2020/03/26/multiple-vulnerabilities-in-nodejs-ecstatic-http-server-http-party/
  classification:
    cpe: cpe:2.3:a:ecstatic_project:ecstatic:*:*:*:*:node.js:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: 'server: "ecstatic"'
    product: ecstatic
    vendor: ecstatic_project
  tags: node,js,listing,ecstatic,vuln


http:
  - method: GET
    path:
      - "{{BaseURL}}/img/"
    headers:
      Range: 10000

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>Index of /img/</title>"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f7758cd7bc1d7839b40453075ffde10a9e42457160e0459f84f770c1e56e40be0220606649db6c238f8c6fb733ab8eea3aad96c79c6d4a09423e72a0ec77907ce479:922c64590222798bb761d5b6d8e72950