Created
June 3, 2025 13:30
-
-
Save nullenc0de/12f51527f7e416f2dea529f749d53efb to your computer and use it in GitHub Desktop.
Revisions
-
nullenc0de created this gist
Jun 3, 2025 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,1194 @@ id: sensitive-credential-files info: name: Sensitive Credential File Discovery author: security-researcher severity: high description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-200,CWE-284,CWE-922 metadata: verified: true max-request: 20 tags: exposure,credentials,secrets,passwords,keys http: - method: GET path: # Environment & Configuration Files with Credentials - "{{BaseURL}}/.env" - "{{BaseURL}}/.env.local" - "{{BaseURL}}/.env.production" - "{{BaseURL}}/.env.development" - "{{BaseURL}}/.env.staging" - "{{BaseURL}}/.env.test" - "{{BaseURL}}/.env.bak" - "{{BaseURL}}/.env.backup" - "{{BaseURL}}/.env.old" - "{{BaseURL}}/.env.save" - "{{BaseURL}}/.env.example" - "{{BaseURL}}/.env.sample" - "{{BaseURL}}/.env.dist" - "{{BaseURL}}/.env.docker" - "{{BaseURL}}/.env.prod" - "{{BaseURL}}/.environment" - "{{BaseURL}}/.envrc" - "{{BaseURL}}/app.env" - "{{BaseURL}}/config.env" - "{{BaseURL}}/secrets.env" - "{{BaseURL}}/database.env" - "{{BaseURL}}/sendgrid.env" - "{{BaseURL}}/mailgun.env" - "{{BaseURL}}/stripe.env" - "{{BaseURL}}/github.env" - "{{BaseURL}}/config.php" - "{{BaseURL}}/configuration.php" - "{{BaseURL}}/config.json" - "{{BaseURL}}/config.yml" - "{{BaseURL}}/config.xml" - "{{BaseURL}}/settings.php" - "{{BaseURL}}/secrets.json" - "{{BaseURL}}/credentials.json" - "{{BaseURL}}/auth.json" - "{{BaseURL}}/database.yml" - "{{BaseURL}}/database.json" - "{{BaseURL}}/db_config.php" - "{{BaseURL}}/connect.php" - "{{BaseURL}}/connection.php" - "{{BaseURL}}/app.config" - "{{BaseURL}}/web.config" - "{{BaseURL}}/appsettings.json" - "{{BaseURL}}/connectionstrings.config" - "{{BaseURL}}/machine.config" - "{{BaseURL}}/application.properties" - "{{BaseURL}}/application.yml" - "{{BaseURL}}/bootstrap.properties" - "{{BaseURL}}/config.properties" - "{{BaseURL}}/keyfile.properties" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "APP_KEY=" - "DB_PASSWORD=" - "DATABASE_PASSWORD=" - "API_KEY=" - "SECRET_KEY=" - "PRIVATE_KEY=" - "ACCESS_TOKEN=" - "REFRESH_TOKEN=" - "AWS_SECRET_ACCESS_KEY=" - "GOOGLE_API_KEY=" - "STRIPE_SECRET=" - "MAILGUN_API_KEY=" - "TWILIO_AUTH_TOKEN=" - "SENDGRID_API_KEY=" - "GITHUB_TOKEN=" - "JWT_SECRET=" - "SESSION_SECRET=" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?[\\s]*[=:]+[\\s]*[\"']?([\\w\\-\\.@:/+=]{8,})[\"']?" - "(?i)[\"']?aws[_-]?secret[_-]?access[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-/+=]{20,})[\"']?" - "(?i)[\"']?aws[_-]?access[_-]?key[_-]?id[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([A-Z0-9]{16,})[\"']?" - "(?i)[\"']?github[_-]?token[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?(ghp_[\\w]{36}|gho_[\\w]{36}|ghu_[\\w]{36}|ghs_[\\w]{36}|ghr_[\\w]{36})[\"']?" - "(?i)[\"']?api[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-]{16,})[\"']?" - "(?i)[\"']?(database|db|mysql|postgres)[_-]?password[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{6,})[\"']?" - "(?i)[\"']?jwt[_-]?secret[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{16,})[\"']?" group: 5 - method: GET path: # Cloud Service Credential Files - "{{BaseURL}}/.aws/config" - "{{BaseURL}}/.aws/credentials" - "{{BaseURL}}/.gcloud/credentials" - "{{BaseURL}}/.gcloud/credentials.db" - "{{BaseURL}}/.google/credentials.json" - "{{BaseURL}}/.azure/accessTokens.json" - "{{BaseURL}}/.azure/credentials" - "{{BaseURL}}/serviceaccount.json" - "{{BaseURL}}/service-account.json" - "{{BaseURL}}/service_account.json" - "{{BaseURL}}/google-services.json" - "{{BaseURL}}/firebase-adminsdk.json" - "{{BaseURL}}/firebase_config.json" - "{{BaseURL}}/aws_credentials" - "{{BaseURL}}/azure_credentials.json" - "{{BaseURL}}/gcp_credentials.json" - "{{BaseURL}}/.digitalocean/config.yaml" - "{{BaseURL}}/.heroku/credentials" - "{{BaseURL}}/client_secret.json" - "{{BaseURL}}/client_secrets.json" - "{{BaseURL}}/credentials.json" - "{{BaseURL}}/credentials.xml" - "{{BaseURL}}/oauth.json" - "{{BaseURL}}/oauth_credentials.json" - "{{BaseURL}}/token.json" - "{{BaseURL}}/refresh_token.json" - "{{BaseURL}}/access_tokens.json" - "{{BaseURL}}/api_keys.json" - "{{BaseURL}}/api_config.json" - "{{BaseURL}}/.kube/config" - "{{BaseURL}}/.docker/config.json" - "{{BaseURL}}/docker_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "private_key" - "client_secret" - "access_token" - "refresh_token" - "service_account" - "aws_access_key_id" - "aws_secret_access_key" - "auth_uri" - "token_uri" - "private_key_id" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)\"private_key\"[\\s]*:[\\s]*\"([^\"]+)\"" - "(?i)\"client_secret\"[\\s]*:[\\s]*\"([^\"]+)\"" - "(?i)\"access_token\"[\\s]*:[\\s]*\"([^\"]+)\"" - "(?i)\"refresh_token\"[\\s]*:[\\s]*\"([^\"]+)\"" - "(?i)aws_access_key_id[\\s]*=[\\s]*([A-Z0-9]{16,})" - "(?i)aws_secret_access_key[\\s]*=[\\s]*([\\w\\-/+=]{20,})" group: 1 - method: GET path: # WordPress and CMS Configuration Files - "{{BaseURL}}/wp-config.php" - "{{BaseURL}}/wp-config-sample.php" - "{{BaseURL}}/wp-config.php.bak" - "{{BaseURL}}/wp-config.php~" - "{{BaseURL}}/wp-config.php.old" - "{{BaseURL}}/wp-config.php.save" - "{{BaseURL}}/wp-config.inc" - "{{BaseURL}}/wp-config.txt" - "{{BaseURL}}/config.inc.php" - "{{BaseURL}}/configuration.php" - "{{BaseURL}}/local.xml" - "{{BaseURL}}/app/etc/local.xml" - "{{BaseURL}}/config/database.yml" - "{{BaseURL}}/config/app.yml" - "{{BaseURL}}/app/config/database.yml" - "{{BaseURL}}/app/config/parameters.yml" - "{{BaseURL}}/config/secrets.yml" - "{{BaseURL}}/config/master.key" - "{{BaseURL}}/local_settings.py" - "{{BaseURL}}/settings/local.py" - "{{BaseURL}}/settings.php" - "{{BaseURL}}/database.php" - "{{BaseURL}}/db_connect.php" - "{{BaseURL}}/db_connection.php" - "{{BaseURL}}/database_config.php" - "{{BaseURL}}/db_credentials.json" - "{{BaseURL}}/mysql_config.php" - "{{BaseURL}}/postgres_config.php" - "{{BaseURL}}/mongodb_config.json" - "{{BaseURL}}/redis_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "<?php" - "define(" - "password" - "secret" - "database" - "mysql" - "postgres" - "host:" - "username:" - "password:" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)define\\(['\"]DB_PASSWORD['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]" - "(?i)define\\(['\"]DB_USER['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]" - "(?i)['\"]password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]" - "(?i)['\"]secret['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]" - "(?i)DATABASE_URL[\\s]*=[\\s]*['\"]([^'\"]+)['\"]" group: 1 - method: GET path: # SSH Keys and Certificates - "{{BaseURL}}/id_rsa" - "{{BaseURL}}/id_dsa" - "{{BaseURL}}/id_ecdsa" - "{{BaseURL}}/id_ed25519" - "{{BaseURL}}/.ssh/id_rsa" - "{{BaseURL}}/.ssh/id_dsa" - "{{BaseURL}}/.ssh/id_ecdsa" - "{{BaseURL}}/.ssh/id_ed25519" - "{{BaseURL}}/.ssh/authorized_keys" - "{{BaseURL}}/.ssh/config" - "{{BaseURL}}/.ssh/known_hosts" - "{{BaseURL}}/server.key" - "{{BaseURL}}/private.key" - "{{BaseURL}}/privatekey.key" - "{{BaseURL}}/key.pem" - "{{BaseURL}}/private.pem" - "{{BaseURL}}/cert.key" - "{{BaseURL}}/ssl.key" - "{{BaseURL}}/tls.key" - "{{BaseURL}}/certificate.key" - "{{BaseURL}}/client.key" - "{{BaseURL}}/rsa.key" - "{{BaseURL}}/ecdsa.key" - "{{BaseURL}}/signing.key" - "{{BaseURL}}/encryption.key" - "{{BaseURL}}/master.key" - "{{BaseURL}}/session.key" - "{{BaseURL}}/jwt.key" - "{{BaseURL}}/keystore.jks" - "{{BaseURL}}/truststore.jks" - "{{BaseURL}}/keyring.gpg" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "-----BEGIN PRIVATE KEY-----" - "-----BEGIN RSA PRIVATE KEY-----" - "-----BEGIN DSA PRIVATE KEY-----" - "-----BEGIN EC PRIVATE KEY-----" - "-----BEGIN OPENSSH PRIVATE KEY-----" - "ssh-rsa" - "ssh-dss" - "ssh-ed25519" condition: or extractors: - type: regex part: body regex: - "(-----BEGIN [A-Z ]+PRIVATE KEY-----[\\s\\S]*?-----END [A-Z ]+PRIVATE KEY-----)" - "(ssh-rsa [A-Za-z0-9+/=]+)" - "(ssh-dss [A-Za-z0-9+/=]+)" - "(ssh-ed25519 [A-Za-z0-9+/=]+)" group: 1 - method: GET path: # Database Files and Backups - "{{BaseURL}}/database.sql" - "{{BaseURL}}/db.sql" - "{{BaseURL}}/backup.sql" - "{{BaseURL}}/dump.sql" - "{{BaseURL}}/users.sql" - "{{BaseURL}}/accounts.sql" - "{{BaseURL}}/customers.sql" - "{{BaseURL}}/payment_data.sql" - "{{BaseURL}}/user_export.csv" - "{{BaseURL}}/customer_data.sql" - "{{BaseURL}}/database_dump.sql" - "{{BaseURL}}/database.sqlite" - "{{BaseURL}}/database.db" - "{{BaseURL}}/app.db" - "{{BaseURL}}/users.db" - "{{BaseURL}}/accounts.db" - "{{BaseURL}}/wallet.dat" - "{{BaseURL}}/backup.zip" - "{{BaseURL}}/full_backup.zip" - "{{BaseURL}}/site_backup.zip" - "{{BaseURL}}/database.sql.bak" - "{{BaseURL}}/users.sql.bak" - "{{BaseURL}}/backup.tar.gz" - "{{BaseURL}}/db_backup.sql" - "{{BaseURL}}/mysql.sql" - "{{BaseURL}}/postgres.sql" - "{{BaseURL}}/mongodb.json" - "{{BaseURL}}/redis.rdb" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "CREATE TABLE" - "INSERT INTO" - "DROP TABLE" - "UPDATE" - "SELECT" - "SQLite format" - "sqlite_master" - "PRAGMA" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)INSERT INTO [\\w_]+ \\([^)]*password[^)]*\\) VALUES \\(([^)]+)\\)" - "(?i)password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]" - "(?i)api_key['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]" group: 1 - method: GET path: # Password and Authentication Files - "{{BaseURL}}/.htpasswd" - "{{BaseURL}}/htpasswd" - "{{BaseURL}}/passwd" - "{{BaseURL}}/password" - "{{BaseURL}}/passwords.txt" - "{{BaseURL}}/users.txt" - "{{BaseURL}}/accounts.txt" - "{{BaseURL}}/logins.txt" - "{{BaseURL}}/credentials.txt" - "{{BaseURL}}/auth.txt" - "{{BaseURL}}/shadow" - "{{BaseURL}}/master.passwd" - "{{BaseURL}}/auth_users.json" - "{{BaseURL}}/login_credentials.json" - "{{BaseURL}}/admin_users.json" - "{{BaseURL}}/service_users.json" - "{{BaseURL}}/user_sessions.json" - "{{BaseURL}}/session_store.json" - "{{BaseURL}}/ldap_config.json" - "{{BaseURL}}/active_directory.json" - "{{BaseURL}}/oauth_users.json" - "{{BaseURL}}/saml_config.xml" - "{{BaseURL}}/cas_config.json" - "{{BaseURL}}/radius_config.json" - "{{BaseURL}}/kerberos_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "^[\\w]+:[\\$\\w\\./]{13,}" - "^[\\w\\.-]+@[\\w\\.-]+:[\\w\\$\\./]{8,}" - "\\$[0-9]\\$[\\w\\./]{50,}" - "^[\\w]+:\\{[A-Z0-9]+\\}" condition: or - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "([\\w]+):[\\$\\w\\./]{13,}" - "([\\w\\.-]+@[\\w\\.-]+):([\\w\\$\\./]{8,})" - "(\\$[0-9]\\$[\\w\\./]{50,})" group: 0 - method: GET path: # Framework-Specific Secret Files - "{{BaseURL}}/secrets.yml" - "{{BaseURL}}/master.key" - "{{BaseURL}}/credentials.yml.enc" - "{{BaseURL}}/application_secrets.rb" - "{{BaseURL}}/production_secrets.rb" - "{{BaseURL}}/laravel_config.php" - "{{BaseURL}}/app_key.txt" - "{{BaseURL}}/jwt_secret.txt" - "{{BaseURL}}/session_secret.txt" - "{{BaseURL}}/cookie_secret.txt" - "{{BaseURL}}/csrf_token.txt" - "{{BaseURL}}/django_secret.py" - "{{BaseURL}}/flask_secret.py" - "{{BaseURL}}/express_session.js" - "{{BaseURL}}/nextauth_secret.txt" - "{{BaseURL}}/symfony_secret.yml" - "{{BaseURL}}/spring_secrets.properties" - "{{BaseURL}}/micronaut_secrets.yml" - "{{BaseURL}}/quarkus_secrets.properties" - "{{BaseURL}}/aspnet_secrets.json" - "{{BaseURL}}/blazor_secrets.json" - "{{BaseURL}}/react_env.json" - "{{BaseURL}}/vue_env.json" - "{{BaseURL}}/angular_env.json" - "{{BaseURL}}/svelte_env.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "secret" - "key" - "token" - "password" - "credential" - "auth" - "api" - "private" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(secret|key|token|password|credential|auth|api)[_-]?[a-z]*[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{8,})['\"]?" group: 2 - method: GET path: # Version Control Files - "{{BaseURL}}/.git/config" - "{{BaseURL}}/.git/HEAD" - "{{BaseURL}}/.git/index" - "{{BaseURL}}/.git/logs/HEAD" - "{{BaseURL}}/.git/refs/heads/master" - "{{BaseURL}}/.git/refs/heads/main" - "{{BaseURL}}/.gitignore" - "{{BaseURL}}/.gitmodules" - "{{BaseURL}}/.svn/entries" - "{{BaseURL}}/.svn/wc.db" - "{{BaseURL}}/.hg/hgrc" - "{{BaseURL}}/.bzr/branch/branch.conf" - "{{BaseURL}}/CVS/Root" - "{{BaseURL}}/CVS/Entries" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "repositoryformatversion" - "ref:" - "tree" - "parent" - "author" - "committer" - ".git" - "refs/heads" - "password" - "token" - "secret" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(password|token|secret|key)[=:][\\s]*([\\w\\-@#$%^&*()+=]{6,})" - "url[\\s]*=[\\s]*.*://([^:]+):([^@]+)@" group: 2 - method: GET path: # Log Files with Potential Credential Leaks - "{{BaseURL}}/error.log" - "{{BaseURL}}/access.log" - "{{BaseURL}}/debug.log" - "{{BaseURL}}/application.log" - "{{BaseURL}}/php_errors.log" - "{{BaseURL}}/error_log" - "{{BaseURL}}/logs/error.log" - "{{BaseURL}}/logs/application.log" - "{{BaseURL}}/logs/access.log" - "{{BaseURL}}/logs/debug.log" - "{{BaseURL}}/var/log/apache2/error.log" - "{{BaseURL}}/storage/logs/laravel.log" - "{{BaseURL}}/wp-content/debug.log" - "{{BaseURL}}/laravel.log" - "{{BaseURL}}/system.log" - "{{BaseURL}}/security.log" - "{{BaseURL}}/admin.log" - "{{BaseURL}}/user.log" - "{{BaseURL}}/login.log" - "{{BaseURL}}/auth.log" - "{{BaseURL}}/mysql.log" - "{{BaseURL}}/sql.log" - "{{BaseURL}}/transaction.log" - "{{BaseURL}}/audit.log" - "{{BaseURL}}/exception.log" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "password=" - "api_key=" - "token=" - "secret=" - "auth=" - "key=" - "username=" - "login=" - "passwd=" - "ERROR" - "FATAL" - "Exception" - "Stack trace" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(password|api_key|token|secret|auth|key)[=:]['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?" - "(?i)(username|login|user)[=:]['\"]?([\\w\\.-]+@[\\w\\.-]+|[\\w\\.-]{3,})['\"]?" group: 2 - method: GET path: # CI/CD Files with Secrets - "{{BaseURL}}/.travis.yml" - "{{BaseURL}}/.gitlab-ci.yml" - "{{BaseURL}}/.circleci/config.yml" - "{{BaseURL}}/azure-pipelines.yml" - "{{BaseURL}}/bitbucket-pipelines.yml" - "{{BaseURL}}/.drone.yml" - "{{BaseURL}}/.github/workflows/ci.yml" - "{{BaseURL}}/.github/workflows/deploy.yml" - "{{BaseURL}}/.github/workflows/build.yml" - "{{BaseURL}}/.github/workflows/test.yml" - "{{BaseURL}}/Jenkinsfile" - "{{BaseURL}}/jenkins_config.xml" - "{{BaseURL}}/buildspec.yml" - "{{BaseURL}}/appspec.yml" - "{{BaseURL}}/docker-compose.yml" - "{{BaseURL}}/docker-compose.override.yml" - "{{BaseURL}}/docker-compose.dev.yml" - "{{BaseURL}}/docker-compose.prod.yml" - "{{BaseURL}}/kubernetes_secrets.yml" - "{{BaseURL}}/helm_values.yml" - "{{BaseURL}}/terraform_vars.tf" - "{{BaseURL}}/ansible_vault.yml" - "{{BaseURL}}/cloudformation_params.json" - "{{BaseURL}}/pulumi_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "password:" - "token:" - "secret:" - "key:" - "api_key:" - "access_token:" - "secure:" - "encrypted:" - "env:" - "environment:" - "variables:" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(password|token|secret|key|api_key|access_token):[\\s]*['\"]?([\\w\\-@#$%^&*()+=]{8,})['\"]?" group: 2 - method: GET path: # Backup Files with Credentials - "{{BaseURL}}/config.php.bak" - "{{BaseURL}}/config.php~" - "{{BaseURL}}/config.php.old" - "{{BaseURL}}/config.php.orig" - "{{BaseURL}}/config.php.save" - "{{BaseURL}}/config.php.tmp" - "{{BaseURL}}/config.json.bak" - "{{BaseURL}}/config.xml.old" - "{{BaseURL}}/settings.ini.orig" - "{{BaseURL}}/credentials.json.bak" - "{{BaseURL}}/secrets.yml.bak" - "{{BaseURL}}/env.bak" - "{{BaseURL}}/web.config.bak" - "{{BaseURL}}/web.config.old" - "{{BaseURL}}/web.config.orig" - "{{BaseURL}}/app.config.bak" - "{{BaseURL}}/application.properties.save" - "{{BaseURL}}/appsettings.Development.json" - "{{BaseURL}}/appsettings.Production.json" - "{{BaseURL}}/appsettings.Staging.json" - "{{BaseURL}}/launchSettings.json" - "{{BaseURL}}/session_backup.json" - "{{BaseURL}}/keychain_export.json" - "{{BaseURL}}/vault_backup.json" - "{{BaseURL}}/encrypted_backup.gpg" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "password" - "secret" - "key" - "token" - "credential" - "auth" - "api" - "private" - "<?php" - "ConnectionStrings" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(password|secret|key|token|credential|auth|api)[_-]?[a-z]*[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?" group: 2 - method: GET path: # Email and Communication Service Configuration - "{{BaseURL}}/email_config.json" - "{{BaseURL}}/smtp_config.json" - "{{BaseURL}}/imap_config.json" - "{{BaseURL}}/pop3_config.json" - "{{BaseURL}}/mailserver_config.json" - "{{BaseURL}}/mail_settings.php" - "{{BaseURL}}/email_settings.php" - "{{BaseURL}}/sendmail_config.php" - "{{BaseURL}}/postfix_config.json" - "{{BaseURL}}/dovecot_config.json" - "{{BaseURL}}/mattermost_config.json" - "{{BaseURL}}/rocket_chat.json" - "{{BaseURL}}/telegram_config.json" - "{{BaseURL}}/whatsapp_config.json" - "{{BaseURL}}/signal_config.json" - "{{BaseURL}}/zoom_config.json" - "{{BaseURL}}/teams_config.json" - "{{BaseURL}}/skype_config.json" - "{{BaseURL}}/webex_config.json" - "{{BaseURL}}/gotomeeting_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "smtp_password" - "mail_password" - "email_password" - "api_key" - "auth_token" - "webhook" - "bot_token" - "client_secret" - "access_token" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(smtp_password|mail_password|email_password|api_key|auth_token|bot_token|client_secret|access_token)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?" group: 2 - method: GET path: # Package Manager and Dependency Files - "{{BaseURL}}/composer.json" - "{{BaseURL}}/composer.lock" - "{{BaseURL}}/composer_auth.json" - "{{BaseURL}}/package.json" - "{{BaseURL}}/package-lock.json" - "{{BaseURL}}/yarn.lock" - "{{BaseURL}}/pnpm-lock.yaml" - "{{BaseURL}}/Gemfile" - "{{BaseURL}}/Gemfile.lock" - "{{BaseURL}}/gem_credentials" - "{{BaseURL}}/requirements.txt" - "{{BaseURL}}/Pipfile" - "{{BaseURL}}/Pipfile.lock" - "{{BaseURL}}/poetry.lock" - "{{BaseURL}}/setup.py" - "{{BaseURL}}/pip_config" - "{{BaseURL}}/npm_config" - "{{BaseURL}}/npmrc" - "{{BaseURL}}/.npmrc" - "{{BaseURL}}/pom.xml" - "{{BaseURL}}/build.gradle" - "{{BaseURL}}/gradle.properties" - "{{BaseURL}}/nuget.config" - "{{BaseURL}}/packages.config" - "{{BaseURL}}/project.json" - "{{BaseURL}}/bower.json" - "{{BaseURL}}/.bowerrc" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "dependencies" - "devDependencies" - "scripts" - "repository" - "auth-token" - "registry" - "token" - "username" - "password" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(auth-token|registry|token|username|password)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?" group: 2 - method: GET path: # Network and VPN Configuration - "{{BaseURL}}/vpn_config.json" - "{{BaseURL}}/openvpn_config.ovpn" - "{{BaseURL}}/wireguard_config.conf" - "{{BaseURL}}/ipsec_config.conf" - "{{BaseURL}}/l2tp_config.json" - "{{BaseURL}}/pptp_config.json" - "{{BaseURL}}/cisco_config.txt" - "{{BaseURL}}/juniper_config.txt" - "{{BaseURL}}/pfsense_config.xml" - "{{BaseURL}}/mikrotik_config.rsc" - "{{BaseURL}}/ftp_config.json" - "{{BaseURL}}/sftp_config.json" - "{{BaseURL}}/.netrc" - "{{BaseURL}}/.ftpconfig" - "{{BaseURL}}/.s3cfg" - "{{BaseURL}}/.boto" - "{{BaseURL}}/.credentials" - "{{BaseURL}}/.pgpass" - "{{BaseURL}}/.my.cnf" - "{{BaseURL}}/.pymongo.conf" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "password" - "secret" - "key" - "psk" - "passphrase" - "username" - "login" - "auth" - "certificate" - "private" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(password|secret|key|psk|passphrase|username|login|auth)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?" group: 2 - method: GET path: # Payment Gateway and Service Configuration - "{{BaseURL}}/stripe_config.json" - "{{BaseURL}}/paypal_config.json" - "{{BaseURL}}/payment_gateway.json" - "{{BaseURL}}/square_config.json" - "{{BaseURL}}/braintree_config.json" - "{{BaseURL}}/authorize_net.json" - "{{BaseURL}}/twilio_config.json" - "{{BaseURL}}/sendgrid_config.json" - "{{BaseURL}}/mailgun_config.json" - "{{BaseURL}}/slack_config.json" - "{{BaseURL}}/slack_webhook.json" - "{{BaseURL}}/discord_webhook.json" - "{{BaseURL}}/teams_webhook.json" - "{{BaseURL}}/github_config.json" - "{{BaseURL}}/bitbucket_config.json" - "{{BaseURL}}/gitlab_config.json" - "{{BaseURL}}/analytics_config.json" - "{{BaseURL}}/google_analytics.json" - "{{BaseURL}}/mixpanel_config.json" - "{{BaseURL}}/amplitude_config.json" - "{{BaseURL}}/segment_config.json" - "{{BaseURL}}/intercom_config.json" - "{{BaseURL}}/zendesk_config.json" - "{{BaseURL}}/salesforce_config.json" - "{{BaseURL}}/hubspot_config.json" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "api_key" - "secret_key" - "private_key" - "client_secret" - "auth_token" - "access_token" - "webhook_secret" - "publishable_key" - "merchant_id" - "client_id" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(api_key|secret_key|private_key|client_secret|auth_token|access_token)[\"']?[\\s]*[=:][\\s]*[\"']?([\\w\\-@#$%^&*()+=]{8,})[\"']?" group: 2 - method: GET path: # Mobile and Common Configuration Files - "{{BaseURL}}/GoogleService-Info.plist" - "{{BaseURL}}/google-services.json" - "{{BaseURL}}/aws-exports.js" - "{{BaseURL}}/amplify-meta.json" - "{{BaseURL}}/serverless.yml" - "{{BaseURL}}/now.json" - "{{BaseURL}}/vercel.json" - "{{BaseURL}}/netlify.toml" - "{{BaseURL}}/heroku.yml" - "{{BaseURL}}/procfile" - "{{BaseURL}}/runtime.txt" - "{{BaseURL}}/app.yaml" - "{{BaseURL}}/app.yml" - "{{BaseURL}}/firebase.json" - "{{BaseURL}}/.firebaserc" - "{{BaseURL}}/amplify.yml" - "{{BaseURL}}/sam.yml" - "{{BaseURL}}/template.yaml" - "{{BaseURL}}/cloudbuild.yaml" - "{{BaseURL}}/skaffold.yaml" - "{{BaseURL}}/phpinfo.php" - "{{BaseURL}}/info.php" - "{{BaseURL}}/test.php" - "{{BaseURL}}/admin.php" - "{{BaseURL}}/login.php" - "{{BaseURL}}/crossdomain.xml" - "{{BaseURL}}/clientaccesspolicy.xml" - "{{BaseURL}}/humans.txt" - "{{BaseURL}}/sitemap.xml" - "{{BaseURL}}/robots.txt" headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "API_KEY" - "CLIENT_SECRET" - "GOOGLE_APP_ID" - "FIREBASE_API_KEY" - "AWS_REGION" - "api_key" - "client_secret" - "private_key" - "auth_token" - "password" - "secret" - "key" - "token" - "credential" - "auth" - "mysql" - "postgres" - "mongodb" - "redis" - "aws" - "google" - "azure" - "github" - "gitlab" - "docker" - "kubernetes" condition: or case-insensitive: true - type: word words: - "<html" - "<head" - "<title" - "<body" - "<div" condition: or negative: true extractors: - type: regex part: body regex: - "(?i)(API_KEY|CLIENT_SECRET|GOOGLE_APP_ID|FIREBASE_API_KEY|api_key|client_secret|private_key|auth_token|password|secret|key|token|credential|auth)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?" - "(?i)(database|mysql|postgres|mongodb|redis)[_-]?(password|user|username|host|port)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{3,})['\"]?" - "(?i)(aws|google|azure|github|gitlab|bitbucket)[_-]?(key|token|secret|password)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{8,})['\"]?" group: 2