The .vscode/launch.json file, used by Visual Studio Code for debugging configurations, is publicly accessible. This file often contains sensitive information such as local file paths, runtime arguments, environment variables, and sometimes hardcoded credentials or access tokens.
PoC代码[已公开]
id: vscode-launch
info:
name: Visual Studio Code launch.json Exposure
author: DhiyaneshDK
severity: low
description: |
The .vscode/launch.json file, used by Visual Studio Code for debugging configurations, is publicly accessible. This file often contains sensitive information such as local file paths, runtime arguments, environment variables, and sometimes hardcoded credentials or access tokens.
reference:
- https://code.visualstudio.com/docs/editor/debugging
metadata:
verified: true
max-request: 1
shodan-query: title:"index" html:".vscode"
tags: vscode,files,debug,exposure,vuln
http:
- method: GET
path:
- "{{BaseURL}}/.vscode/launch.json"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"version":'
- '"configurations":'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4a0a00473045022100f049a6326098e27abe32606abf6b0bda16519b908588864e328bb9968fd0586002204e77327e18f8b11bcb1acaa7a05fedb663ea4a298410337f116f3b8b8f0bc784:922c64590222798bb761d5b6d8e72950