Skip to content

auxiliary(scanner/http/redoc_exposed): detect exposed ReDoc API docs UI #20594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 24, 2025
Merged

auxiliary(scanner/http/redoc_exposed): detect exposed ReDoc API docs UI #20594

merged 13 commits into from
Oct 24, 2025
+123 −0

Conversation

@HamzaSahin61
Copy link
Contributor

@HamzaSahin61 HamzaSahin61 commented Oct 6, 2025
edited
Loading

Summary

This module detects publicly exposed ReDoc API documentation pages.
It performs safe, read-only HTTP GET requests and reports likely ReDoc instances based on common HTML markers.

Module name

auxiliary/scanner/http/redoc_exposed

Options

  • RPORT – Target TCP port (default: 80)
  • SSL – Enable TLS (default: false)
  • REDOC_PATHS – Optional comma-separated list of paths to probe. When unset, the module probes: /redoc, /redoc/, /docs, /api/docs, /openapi.

Verification steps

  1. Start msfconsole
  2. use auxiliary/scanner/http/redoc_exposed
  3. set RHOSTS <target or file:/path/to/targets.txt>
  4. (Optional) set REDOC_PATHS /redoc,/docs
  5. (Optional) set RPORT <port> and/or set SSL true
  6. run

Expected

[+] <ip> - ReDoc likely exposed at <path>

Scanning notes

  • DOM-driven checks via get_html_document:
    • <redoc> / redoc- custom elements
    • #redoc container
    • <script src="...redoc(.standalone).js">
  • Falls back to body/title heuristics if DOM parsing is unavailable.
  • No intrusive actions; read-only HTTP GET requests only.

Example session

use auxiliary/scanner/http/redoc_exposed
set RHOSTS 127.0.0.1
set RPORT 8001
set SSL false
run

msutovsky-r7
msutovsky-r7 reviewed Oct 7, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add documentation for your module? Ideally, with steps to setup development environment

@github-actions
Copy link

github-actions bot commented Oct 7, 2025

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

msutovsky-r7
msutovsky-r7 reviewed Oct 7, 2025
View reviewed changes
@HamzaSahin61
Copy link
Contributor Author

Thanks for the review! I’ve applied all suggestions:

  • Removed require 'msf/core' and added the standard Metasploit header.
  • Switched return values to true/false, removed the explicit timeout.
  • Implemented DOM checks via get_html_document (<redoc>, #redoc, redoc(.standalone).js) with a lightweight fallback.
  • Kept REDOC_PATHS optional with a default path list when empty.
  • Added module docs at documentation/modules/auxiliary/scanner/http/redoc_exposed.md.
  • Ran rubocop -a on the module (no offenses).
    Please let me know if anything else is needed. Thanks!

msutovsky-r7
msutovsky-r7 reviewed Oct 8, 2025
View reviewed changes
smcintyre-r7
smcintyre-r7 previously requested changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this module!

@bwatters-r7
Copy link
Contributor

@HamzaSahin61 do you have instructions for building a test target? Would something like https://redocly.com/docs/redoc/deployment/docker work?

@HamzaSahin61
Copy link
Contributor Author

@HamzaSahin61 do you have instructions for building a test target? Would something like https://redocly.com/docs/redoc/deployment/docker work?
@bwatters-r7

Docker (Redocly):

  1. echo 'openapi: 3.0.0
    info: {title: Demo, version: "1.0"}
    paths: {}' > openapi.yaml
  2. docker run --rm -p 8001:80
    -v "$PWD/openapi.yaml:/usr/share/nginx/html/openapi.yaml:ro"
    -e SPEC_URL="/openapi.yaml" redocly/redoc

ReDoc is served at http://127.0.0.1:8001/

Metasploit:
use auxiliary/scanner/http/redoc_exposed
set RHOSTS 127.0.0.1
set RPORT 8001
set SSL false
set REDOC_PATHS /
run

Expected: [+] 127.0.0.1 - ReDoc likely exposed at /

@bwatters-r7 bwatters-r7 self-assigned this Oct 22, 2025
@bwatters-r7
Copy link
Contributor 

msf auxiliary(scanner/http/redoc_exposed) > show options

Module options (auxiliary/scanner/http/redoc_exposed):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4,
                                            socks5, socks5h, http, sapni
   REDOC_PATHS  /                yes       Comma-separated list of paths to probe
   RHOSTS       10.5.135.119     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
                                           etasploit.html
   RPORT        8001             yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   THREADS      1                yes       The number of concurrent threads (max one per host)
   VHOST                         no        HTTP server virtual host


View the full module info with the info, or info -d command.

msf auxiliary(scanner/http/redoc_exposed) > run
[+] 10.5.135.119 - ReDoc likely exposed at /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/redoc_exposed) >

bwatters-r7
bwatters-r7 reviewed Oct 22, 2025
View reviewed changes
bwatters-r7
bwatters-r7 reviewed Oct 22, 2025
View reviewed changes
Copy link
Contributor

@bwatters-r7 bwatters-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed my suggestion had a duplicate section. Sorry about that!

@HamzaSahin61
Remove 'How It Works' section from redoc_exposed.md
e17b2a0 
Removed the 'How It Works' section detailing the probing process for REDOC.
@HamzaSahin61
Copy link
Contributor Author

Noticed my suggestion had a duplicate section. Sorry about that!

not problem :) fixed it.

@bwatters-r7 bwatters-r7 dismissed smcintyre-r7’s stale review October 24, 2025 16:18

Requested changes were addressed

@bwatters-r7 bwatters-r7 merged commit d1c9410 into rapid7:master Oct 24, 2025
18 checks passed
@bwatters-r7
Copy link
Contributor

Release Notes

Adds a module to detect publicly exposed ReDoc API documentation pages using read-only HTTP GET requests searching for common HTML markers.

@bwatters-r7
Copy link
Contributor

Thank you for your module, @HamzaSahin61; I noticed that this was your first PR with us, and we appreciate it!

@HamzaSahin61
Copy link
Contributor Author

Thank you for your module, @HamzaSahin61; I noticed that this was your first PR with us, and we appreciate it!

tnx a lot

@HamzaSahin61 HamzaSahin61 deleted the feat/redoc-exposed-scanner branch October 26, 2025 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 approved these changes

@smcintyre-r7 smcintyre-r7 Awaiting requested review from smcintyre-r7

@msutovsky-r7 msutovsky-r7 Awaiting requested review from msutovsky-r7

@dledda-r7 dledda-r7 Awaiting requested review from dledda-r7

Assignees

@bwatters-r7 bwatters-r7

Labels

module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@HamzaSahin61 @bwatters-r7 @smcintyre-r7 @dledda-r7 @msutovsky-r7