Skip to content

auxiliary(scanner/http/redoc_exposed): detect exposed ReDoc API docs UI #20594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

auxiliary(scanner/http/redoc_exposed): detect exposed ReDoc API docs UI #20594

wants to merge 11 commits into from
+126 −0

Conversation

HamzaSahin61
Copy link

@HamzaSahin61 HamzaSahin61 commented Oct 6, 2025
edited
Loading

Summary

This module detects publicly exposed ReDoc API documentation pages.
It performs safe, read-only HTTP GET requests and reports likely ReDoc instances based on common HTML markers.

Module name

auxiliary/scanner/http/redoc_exposed

Options

  • RPORT – Target TCP port (default: 80)
  • SSL – Enable TLS (default: false)
  • REDOC_PATHS – Optional comma-separated list of paths to probe. When unset, the module probes: /redoc, /redoc/, /docs, /api/docs, /openapi.

Verification steps

  1. Start msfconsole
  2. use auxiliary/scanner/http/redoc_exposed
  3. set RHOSTS <target or file:/path/to/targets.txt>
  4. (Optional) set REDOC_PATHS /redoc,/docs
  5. (Optional) set RPORT <port> and/or set SSL true
  6. run

Expected

[+] <ip> - ReDoc likely exposed at <path>

Scanning notes

  • DOM-driven checks via get_html_document:
    • <redoc> / redoc- custom elements
    • #redoc container
    • <script src="...redoc(.standalone).js">
  • Falls back to body/title heuristics if DOM parsing is unavailable.
  • No intrusive actions; read-only HTTP GET requests only.

Example session

use auxiliary/scanner/http/redoc_exposed
set RHOSTS 127.0.0.1
set RPORT 8001
set SSL false
run

msutovsky-r7
msutovsky-r7 reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add documentation for your module? Ideally, with steps to setup development environment

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2025

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

msutovsky-r7
msutovsky-r7 reviewed Oct 7, 2025
View reviewed changes
@HamzaSahin61
Copy link
Author

Thanks for the review! I’ve applied all suggestions:

  • Removed require 'msf/core' and added the standard Metasploit header.
  • Switched return values to true/false, removed the explicit timeout.
  • Implemented DOM checks via get_html_document (<redoc>, #redoc, redoc(.standalone).js) with a lightweight fallback.
  • Kept REDOC_PATHS optional with a default path list when empty.
  • Added module docs at documentation/modules/auxiliary/scanner/http/redoc_exposed.md.
  • Ran rubocop -a on the module (no offenses).
    Please let me know if anything else is needed. Thanks!

msutovsky-r7
msutovsky-r7 reviewed Oct 8, 2025
View reviewed changes
smcintyre-r7
smcintyre-r7 requested changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this module!

@bwatters-r7
Copy link
Contributor

@HamzaSahin61 do you have instructions for building a test target? Would something like https://redocly.com/docs/redoc/deployment/docker work?

@HamzaSahin61
Copy link
Author

@HamzaSahin61 do you have instructions for building a test target? Would something like https://redocly.com/docs/redoc/deployment/docker work?
@bwatters-r7

Docker (Redocly):

  1. echo 'openapi: 3.0.0
    info: {title: Demo, version: "1.0"}
    paths: {}' > openapi.yaml
  2. docker run --rm -p 8001:80
    -v "$PWD/openapi.yaml:/usr/share/nginx/html/openapi.yaml:ro"
    -e SPEC_URL="/openapi.yaml" redocly/redoc

ReDoc is served at http://127.0.0.1:8001/

Metasploit:
use auxiliary/scanner/http/redoc_exposed
set RHOSTS 127.0.0.1
set RPORT 8001
set SSL false
set REDOC_PATHS /
run

Expected: [+] 127.0.0.1 - ReDoc likely exposed at /

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smcintyre-r7 smcintyre-r7 Awaiting requested review from smcintyre-r7

@msutovsky-r7 msutovsky-r7 Awaiting requested review from msutovsky-r7

@dledda-r7 dledda-r7 Awaiting requested review from dledda-r7

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@HamzaSahin61 @bwatters-r7 @smcintyre-r7 @dledda-r7 @msutovsky-r7