[TEMPLATE CONTRIBUTION] Kong Manager OSS GUI Panel #13471
Description
Is there an existing template for this?
- I have searched the existing templates.
Nuclei Template
id: kong-manager-oss
info:
name: Kong Manager OSS Panel Detection
author: Krishna Jaishwal
severity: critical
description: Detects the presence of Unauthenticated Kong Manager OSS GUI panel.
reference:
- http://github.com/Kong/kong-manager
- https://developer.konghq.com/how-to/enable-basic-auth-on-kong-manager/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-200
metadata:
max-request: 2
tags: kong,gui,oss,exposure,panel
http:
- method: GET
path:
- "{{BaseURL}}/"
matchers-condition: or
matchers:
- type: word
words:
- "<title>Kong Manager OSS</title>"
part: body
condition: and
- method: GET
path:
- "{{BaseURL}}/kconfig.js"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "ADMIN_GUI_URL"
- "ADMIN_API_URL"
part: body
condition: or
# digest: 4a0a00473045022100eb0e3a9de94eb9e0575c4cb81ed06afcdf3a4a158c8857f829e98524a626a30b022066803ff2a92ad188b08aad0e32bc79f279e04d56aed13e032f7b953a0e2a01f8:c38ddf3e9961cbe0978956b48c219a76%Relevant dumped responses
HTTP/2 200 OK
Date: Wed, 01 Oct 2025 20:59:44 GMT
Content-Type: text/html; charset=UTF-8
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
X-Frame-Options: sameorigin
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: master-only
Strict-Transport-Security: max-age=31536000; includeSubDomains
<!DOCTYPE html>
<html lang="en">
<head>
<script>self["MonacoEnvironment"] = (function (paths) {
return {
globalAPI: false,
getWorkerUrl : function (moduleId, label) {
var result = paths[label];
if (/^((http:)|(https:)|(file:)|(\/\/))/.test(result)) {
var currentUrl = String(window.location);
var currentOrigin = currentUrl.substr(0, currentUrl.length - window.location.hash.length - window.location.search.length - window.location.pathname.length);
if (result.substring(0, currentOrigin.length) !== currentOrigin) {
var js = '/*' + label + '*/importScripts("' + result + '");';
var blob = new Blob([js], { type: 'application/javascript' });
return URL.createObjectURL(blob);
}
}
return result;
}
};
})({
"editorWorkerService": "/monacoeditorwork/editor.worker.bundle.js"
});</script>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico"/>
<title>Kong Manager OSS</title>
<script type="text/javascript" src="/kconfig.js"></script>
<script type="module" crossorigin src="/assets/index-xxxxx.js"></script>
<link rel="stylesheet" crossorigin href="/assets/index-xxxxx.css">
</head>
<body>
<div id="app"></div>
</body>
</html>Anything else?
There are two templates already exist in the repository related to Kong. One is http/technologies/kong-detect.yaml which detects the kong service on the basis of response header. The other is http/cves/2020/CVE-2020-11710.yaml which is for Kong Admin API. I observed both of these templates missed an Host running unauthenticated Kong Manager GUI panel (https://github.com/Kong/kong-manager). This GUI panel is there new feature released two years back for GUI lovers. On a default case scenario, during setting up this GUI panel, it does not implements any authorization. Devs have to manually configure and setup the Auth. You can read more about this implementation here: https://developer.konghq.com/how-to/enable-basic-auth-on-kong-manager/ . This panel contains HTML title Kong Manager OSS which made it easy to detect. But I really like Javascripts for tech detection. The Javascript file kconfig.js returns.
window.K_CONFIG = {
'ADMIN_GUI_PATH': '/',
'ADMIN_API_URL': 'https://xyz',
'ADMIN_API_PORT': '8001',
'ADMIN_API_SSL_PORT': '',
'ADMIN_GUI_URL': 'https://xyz',
'ANONYMOUS_REPORTS': 'true'
}You can read about it here: https://developer.konghq.com/gateway/configuration/#kong-manager-section.
The extractors could be improved. Let me know if you need any help.
Best,
@Jarvis0p