Skip to content

Info

ID: AT-RE002.001
Tactic: Reconnaissance

Manifest Inspection

Manifest inspection is a sub-technique within the Reconnaissance phase's Application Dependencies Mapping technique where adversaries systematically analyze manifest files found in applications to enumerate dependencies, versions, and configurations. These manifest files (such as package.json, gemfile.lock, requirements.txt, pom.xml, or AndroidManifest.xml) contain valuable metadata that reveals the application's architecture, component relationships, and third-party dependencies. By examining these files, attackers can identify outdated libraries with known vulnerabilities, permission requirements, API endpoints, and service configurations without requiring direct access to source code. This reconnaissance activity enables adversaries to construct a comprehensive dependency graph of the target application, prioritize potential attack vectors based on known CVEs in specific dependency versions, and develop targeted exploitation strategies that leverage weaknesses in the application's supply chain or component interdependencies.

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance Avoid committing verbose manifest files to public repos; where required, minimise exposed fields.
M1021 Restrict Web-Based Content Enforce repo-level ACLs or token-gated downloads for manifests containing sensitive dependency info.

Detection

Most manifest inspection is performed against public repositories or web-exposed assets using unauthenticated HTTP requests, placing the activity mostly outside traditional enterprise telemetry.

Limited visibility may be gained through:

  • Repository audit trails if the organisation owns the project and reviews per-file access logs.
  • Threat-intel services that detect large-scale crawling of package.json, pom.xml, etc., linked to the organisation.
  • Subsequent attack artefacts (e.g., crafted exploits that reference specific dependency versions discovered in manifests).