id: node-ecstatic-listing

info:
  name: Node ecstatic Directory Listing
  author: DhiyaneshDK
  severity: low
  description: Directiory listing enabled in Node ecstatic.
  reference:
    - https://tripla.dk/2020/03/26/multiple-vulnerabilities-in-nodejs-ecstatic-http-server-http-party/
  classification:
    cpe: cpe:2.3:a:ecstatic_project:ecstatic:*:*:*:*:node.js:*:*:*
  metadata:
    verified: true
    max-request: 1
    shodan-query: 'server: "ecstatic"'
    product: ecstatic
    vendor: ecstatic_project
  tags: node,js,listing,ecstatic


http:
  - method: GET
    path:
      - "{{BaseURL}}/img/"
    headers:
      Range: 10000

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<title>Index of /img/</title>"

      - type: status
        status:
          - 200
# digest: 490a0046304402200734642ad975781c89c227f49e485383ef50e1c890ffd91b7740cbae61717db90220437ed4c0daeba2a948ea3b992fd3fb283d104a1a0295085f1220b6f9dd4ef97c:922c64590222798bb761d5b6d8e72950