Insecure Default Configuration

gistfile1.txt

import requests

def test_error_handling():
    base_url = "http://DEVLOPMENT_HOST:3000/api/v1/user/keys"

    # Test cases for error handling analysis
    test_cases = [
        ("empty_auth_header", {"Authorization": ""}),
    ]

    print("=== Testing Error Handling ===")

    for name, auth_header in test_cases:
        headers = {"Accept": "application/json"}
        if auth_header:
            headers.update(auth_header)

        try:
            response = requests.get(
                base_url,
                headers=headers,
                params={"fingerprint": "test", "page": 1, "limit": 1}
            )

            print(f"\nTest: {name}")
            print(f"Status: {response.status_code}")
            print(f"Headers: {response.headers}")
            print(f"Body: {response.text}")

            # Check for information leakage
            if "localhost" in response.text.lower():
                print("!!! Localhost reference detected in error message !!!")
            if "swagger" in response.text.lower():
                print("!!! API framework information leaked !!!")
            if "token is required" in response.text:
                print("!!! Specific auth requirement disclosed !!!")

        except Exception as e:
            print(f"\nTest: {name} failed with error: {str(e)}")

    # Attempt to access the leaked documentation URL
    print("\n=== Testing Documentation URL ===")
    doc_url = "http://HOST_LEAKED/api/swagger"
    try:
        response = requests.get(doc_url)
        print(f"Documentation URL status: {response.status_code}")
        print(f"Content length: {len(response.text)}")
        if response.status_code == 200:
            print("!!! API documentation accessible !!!")
    except Exception as e:
        print(f"Failed to access documentation: {str(e)}")

if __name__ == "__main__":
    test_error_handling()