From 730f99d70f41c86fae783f96c825f1977779a23f Mon Sep 17 00:00:00 2001 From: Roberto Nunes <46332131+Akokonunes@users.noreply.github.com> Date: Fri, 3 Apr 2026 11:45:16 +0900 Subject: [PATCH 1/2] Create piwik-unauthenticated-access.yaml --- .../piwik/piwik-unauthenticated-access.yaml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 http/misconfiguration/piwik/piwik-unauthenticated-access.yaml diff --git a/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml b/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml new file mode 100644 index 000000000000..f13402fd799f --- /dev/null +++ b/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml @@ -0,0 +1,54 @@ +id: piwik-unauthenticated-access + +info: + name: Piwik/Matomo - Unauthenticated Access + author: 0x_Akoko + severity: high + description: | + Detected Piwik/Matomo instances exposing analytics data without authentication. When anonymous access was enabled, the API returned visitor statistics, page views, and other sensitive analytics data using the anonymous token. + reference: + - https://developer.matomo.org/api-reference/reporting-api + - https://matomo.org/faq/general/faq_152/ + metadata: + verified: true + max-request: 5 + vendor: matomo + product: matomo + shodan-query: + - http.title:"Piwik" + - http.title:"Matomo" + fofa-query: + - title="Piwik" + - title="Matomo" + tags: piwik,matomo,unauth,exposure,misconfig,analytics + +http: + - method: GET + path: + - "{{BaseURL}}/index.php?module=API&method=VisitsSummary.get&idSite=1&period=day&date=today&format=json&token_auth=anonymous" + - "{{BaseURL}}/matomo/index.php?module=API&method=VisitsSummary.get&idSite=1&period=day&date=today&format=json&token_auth=anonymous" + - "{{BaseURL}}/piwik/index.php?module=API&method=VisitsSummary.get&idSite=1&period=day&date=today&format=json&token_auth=anonymous" + - "{{BaseURL}}/index.php?module=API&method=SitesManager.getAllSites&format=json&token_auth=anonymous" + - "{{BaseURL}}/matomo/index.php?module=API&method=SitesManager.getAllSites&format=json&token_auth=anonymous" + + stop-at-first-match: true + matchers-condition: and + matchers: + - type: status + status: + - 200 + + - type: word + part: header + words: + - "application/json" + + - type: word + part: body + words: + - "nb_visits" + - "nb_uniq_visitors" + - "nb_actions" + - "idsite" + - "main_url" + condition: or From f31f8616dd4f912604313a15e62d424ab623baf8 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Fri, 3 Apr 2026 21:31:44 +0530 Subject: [PATCH 2/2] Update piwik-unauthenticated-access.yaml --- .../piwik/piwik-unauthenticated-access.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml b/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml index f13402fd799f..91d6839472e2 100644 --- a/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml +++ b/http/misconfiguration/piwik/piwik-unauthenticated-access.yaml @@ -34,15 +34,6 @@ http: stop-at-first-match: true matchers-condition: and matchers: - - type: status - status: - - 200 - - - type: word - part: header - words: - - "application/json" - - type: word part: body words: @@ -52,3 +43,12 @@ http: - "idsite" - "main_url" condition: or + + - type: word + part: content_type + words: + - "application/json" + + - type: status + status: + - 200