Detects the presence of JHipster application dashboard or API endpoints that allow authentication using default credentials. JHipster applications by default are often configured with the username "admin" and password "admin", potentially exposing application management interfaces or sensitive APIs if not changed after deployment.
PoC代码[已公开]
id: jhipster-default-login
info:
name: JHipster Platform - Default Login
author: ritikchaddha
severity: high
description: |
Detects the presence of JHipster application dashboard or API endpoints that allow authentication using default credentials. JHipster applications by default are often configured with the username "admin" and password "admin", potentially exposing application management interfaces or sensitive APIs if not changed after deployment.
reference:
- https://www.jhipster.tech/security/
metadata:
verified: true
max-request: 2
shodan-query: title:"JHipster"
fofa-query: title="JHipster"
tags: jhipster,default-login,exposure,misconfig
http:
- raw:
- |
POST /api/authenticate HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","password":"{{password}}","rememberMe":false}
payloads:
username:
- "admin"
- "user"
password:
- "admin"
- "user"
attack: pitchfork
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"id_token":"ey'
- type: word
part: header
words:
- "application/json"
- "Authorization: Bearer"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502205c5728cd6a7d1ebae0abb0458e44dea19f478f49505da89a1975ca8247fe51af022100c0403bbf0005cd29111f67dba879191d33ce0926da3b0c2583df4e1b2892a68f:922c64590222798bb761d5b6d8e72950