Last active
October 13, 2025 23:51
-
-
Save nullenc0de/fb83110ec802f3e5e433687d6560538c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: sensitive-credential-files | |
| info: | |
| name: Sensitive Credential File Discovery | |
| author: nullenc0de | |
| severity: high | |
| description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data | |
| classification: | |
| cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |
| cvss-score: 7.5 | |
| cwe-id: CWE-200,CWE-284,CWE-922 | |
| metadata: | |
| verified: true | |
| max-request: 8 | |
| tags: exposure,credentials,secrets,passwords,keys | |
| http: | |
| - method: GET | |
| path: | |
| # Environment & Configuration Files with Credentials | |
| - "{{BaseURL}}/.env" | |
| - "{{BaseURL}}/.env.local" | |
| - "{{BaseURL}}/.env.production" | |
| - "{{BaseURL}}/.env.development" | |
| - "{{BaseURL}}/.env.staging" | |
| - "{{BaseURL}}/.env.test" | |
| - "{{BaseURL}}/.env.bak" | |
| - "{{BaseURL}}/.env.backup" | |
| - "{{BaseURL}}/.env.old" | |
| - "{{BaseURL}}/.env.save" | |
| - "{{BaseURL}}/.env.example" | |
| - "{{BaseURL}}/.env.sample" | |
| - "{{BaseURL}}/.env.dist" | |
| - "{{BaseURL}}/.env.docker" | |
| - "{{BaseURL}}/.env.prod" | |
| - "{{BaseURL}}/.environment" | |
| - "{{BaseURL}}/.envrc" | |
| - "{{BaseURL}}/app.env" | |
| - "{{BaseURL}}/config.env" | |
| - "{{BaseURL}}/secrets.env" | |
| - "{{BaseURL}}/database.env" | |
| - "{{BaseURL}}/sendgrid.env" | |
| - "{{BaseURL}}/mailgun.env" | |
| - "{{BaseURL}}/stripe.env" | |
| - "{{BaseURL}}/github.env" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "APP_KEY=" | |
| - "DB_PASSWORD=" | |
| - "DATABASE_PASSWORD=" | |
| - "API_KEY=" | |
| - "SECRET_KEY=" | |
| - "PRIVATE_KEY=" | |
| - "ACCESS_TOKEN=" | |
| - "REFRESH_TOKEN=" | |
| - "AWS_SECRET_ACCESS_KEY=" | |
| - "GOOGLE_API_KEY=" | |
| - "STRIPE_SECRET=" | |
| - "MAILGUN_API_KEY=" | |
| - "TWILIO_AUTH_TOKEN=" | |
| - "SENDGRID_API_KEY=" | |
| - "GITHUB_TOKEN=" | |
| - "JWT_SECRET=" | |
| - "SESSION_SECRET=" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?[\\s]*[=:]+[\\s]*[\"']?([\\w\\-\\.@:/+=]{8,})[\"']?" | |
| - "(?i)[\"']?aws[_-]?secret[_-]?access[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-/+=]{20,})[\"']?" | |
| - "(?i)[\"']?aws[_-]?access[_-]?key[_-]?id[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([A-Z0-9]{16,})[\"']?" | |
| - "(?i)[\"']?github[_-]?token[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?(ghp_[\\w]{36}|gho_[\\w]{36}|ghu_[\\w]{36}|ghs_[\\w]{36}|ghr_[\\w]{36})[\"']?" | |
| - "(?i)[\"']?api[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-]{16,})[\"']?" | |
| - "(?i)[\"']?(database|db|mysql|postgres)[_-]?password[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{6,})[\"']?" | |
| - "(?i)[\"']?jwt[_-]?secret[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{16,})[\"']?" | |
| group: 5 | |
| - method: GET | |
| path: | |
| # Cloud Service Credential Files | |
| - "{{BaseURL}}/.aws/config" | |
| - "{{BaseURL}}/.aws/credentials" | |
| - "{{BaseURL}}/.gcloud/credentials" | |
| - "{{BaseURL}}/.gcloud/credentials.db" | |
| - "{{BaseURL}}/.google/credentials.json" | |
| - "{{BaseURL}}/.azure/accessTokens.json" | |
| - "{{BaseURL}}/serviceaccount.json" | |
| - "{{BaseURL}}/service-account.json" | |
| - "{{BaseURL}}/google-services.json" | |
| - "{{BaseURL}}/firebase-adminsdk.json" | |
| - "{{BaseURL}}/.digitalocean/config.yaml" | |
| - "{{BaseURL}}/.heroku/credentials" | |
| - "{{BaseURL}}/client_secret.json" | |
| - "{{BaseURL}}/client_secrets.json" | |
| - "{{BaseURL}}/credentials.json" | |
| - "{{BaseURL}}/credentials.xml" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "private_key" | |
| - "client_secret" | |
| - "access_token" | |
| - "refresh_token" | |
| - "service_account" | |
| - "aws_access_key_id" | |
| - "aws_secret_access_key" | |
| - "auth_uri" | |
| - "token_uri" | |
| - "private_key_id" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)\"private_key\"[\\s]*:[\\s]*\"([^\"]+)\"" | |
| - "(?i)\"client_secret\"[\\s]*:[\\s]*\"([^\"]+)\"" | |
| - "(?i)\"access_token\"[\\s]*:[\\s]*\"([^\"]+)\"" | |
| - "(?i)\"refresh_token\"[\\s]*:[\\s]*\"([^\"]+)\"" | |
| - "(?i)aws_access_key_id[\\s]*=[\\s]*([A-Z0-9]{16,})" | |
| - "(?i)aws_secret_access_key[\\s]*=[\\s]*([\\w\\-/+=]{20,})" | |
| group: 1 | |
| - method: GET | |
| path: | |
| # Configuration Files with Database Credentials | |
| - "{{BaseURL}}/config.php" | |
| - "{{BaseURL}}/config.inc.php" | |
| - "{{BaseURL}}/configuration.php" | |
| - "{{BaseURL}}/settings.php" | |
| - "{{BaseURL}}/database.php" | |
| - "{{BaseURL}}/wp-config.php" | |
| - "{{BaseURL}}/local.xml" | |
| - "{{BaseURL}}/app/etc/local.xml" | |
| - "{{BaseURL}}/config/database.yml" | |
| - "{{BaseURL}}/config/app.yml" | |
| - "{{BaseURL}}/app/config/database.yml" | |
| - "{{BaseURL}}/app/config/parameters.yml" | |
| - "{{BaseURL}}/config/secrets.yml" | |
| - "{{BaseURL}}/config/master.key" | |
| - "{{BaseURL}}/local_settings.py" | |
| - "{{BaseURL}}/settings/local.py" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "<?php" | |
| - "define(" | |
| - "password" | |
| - "secret" | |
| - "database" | |
| - "mysql" | |
| - "postgres" | |
| - "host:" | |
| - "username:" | |
| - "password:" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)define\\(['\"]DB_PASSWORD['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]" | |
| - "(?i)define\\(['\"]DB_USER['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]" | |
| - "(?i)['\"]password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]" | |
| - "(?i)['\"]secret['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]" | |
| - "(?i)DATABASE_URL[\\s]*=[\\s]*['\"]([^'\"]+)['\"]" | |
| group: 1 | |
| - method: GET | |
| path: | |
| # SSH Keys and Certificates | |
| - "{{BaseURL}}/id_rsa" | |
| - "{{BaseURL}}/id_dsa" | |
| - "{{BaseURL}}/id_ecdsa" | |
| - "{{BaseURL}}/id_ed25519" | |
| - "{{BaseURL}}/.ssh/id_rsa" | |
| - "{{BaseURL}}/.ssh/id_dsa" | |
| - "{{BaseURL}}/.ssh/authorized_keys" | |
| - "{{BaseURL}}/server.key" | |
| - "{{BaseURL}}/private.key" | |
| - "{{BaseURL}}/privatekey.key" | |
| - "{{BaseURL}}/key.pem" | |
| - "{{BaseURL}}/private.pem" | |
| - "{{BaseURL}}/cert.key" | |
| - "{{BaseURL}}/ssl.key" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "-----BEGIN PRIVATE KEY-----" | |
| - "-----BEGIN RSA PRIVATE KEY-----" | |
| - "-----BEGIN DSA PRIVATE KEY-----" | |
| - "-----BEGIN EC PRIVATE KEY-----" | |
| - "-----BEGIN OPENSSH PRIVATE KEY-----" | |
| - "ssh-rsa" | |
| - "ssh-dss" | |
| - "ssh-ed25519" | |
| condition: or | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(-----BEGIN [A-Z ]+PRIVATE KEY-----[\\s\\S]*?-----END [A-Z ]+PRIVATE KEY-----)" | |
| - "(ssh-rsa [A-Za-z0-9+/=]+)" | |
| - "(ssh-dss [A-Za-z0-9+/=]+)" | |
| - "(ssh-ed25519 [A-Za-z0-9+/=]+)" | |
| group: 1 | |
| - method: GET | |
| path: | |
| # Database Files with Potential Data | |
| - "{{BaseURL}}/database.sql" | |
| - "{{BaseURL}}/db.sql" | |
| - "{{BaseURL}}/backup.sql" | |
| - "{{BaseURL}}/dump.sql" | |
| - "{{BaseURL}}/users.sql" | |
| - "{{BaseURL}}/accounts.sql" | |
| - "{{BaseURL}}/database.sqlite" | |
| - "{{BaseURL}}/database.db" | |
| - "{{BaseURL}}/app.db" | |
| - "{{BaseURL}}/users.db" | |
| - "{{BaseURL}}/accounts.db" | |
| - "{{BaseURL}}/wallet.dat" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "CREATE TABLE" | |
| - "INSERT INTO" | |
| - "DROP TABLE" | |
| - "UPDATE" | |
| - "SELECT" | |
| - "SQLite format" | |
| - "sqlite_master" | |
| - "PRAGMA" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)INSERT INTO [\\w_]+ \\([^)]*password[^)]*\\) VALUES \\(([^)]+)\\)" | |
| - "(?i)password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]" | |
| - "(?i)api_key['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]" | |
| group: 1 | |
| - method: GET | |
| path: | |
| # Password and Authentication Files | |
| - "{{BaseURL}}/.htpasswd" | |
| - "{{BaseURL}}/htpasswd" | |
| - "{{BaseURL}}/passwd" | |
| - "{{BaseURL}}/password" | |
| - "{{BaseURL}}/passwords.txt" | |
| - "{{BaseURL}}/users.txt" | |
| - "{{BaseURL}}/accounts.txt" | |
| - "{{BaseURL}}/logins.txt" | |
| - "{{BaseURL}}/credentials.txt" | |
| - "{{BaseURL}}/auth.txt" | |
| - "{{BaseURL}}/shadow" | |
| - "{{BaseURL}}/master.passwd" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: regex | |
| regex: | |
| - "^[\\w]+:[\\$\\w\\./]{13,}" | |
| - "^[\\w\\.-]+@[\\w\\.-]+:[\\w\\$\\./]{8,}" | |
| - "\\$[0-9]\\$[\\w\\./]{50,}" | |
| - "^[\\w]+:\\{[A-Z0-9]+\\}" | |
| condition: or | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "([\\w]+):[\\$\\w\\./]{13,}" | |
| - "([\\w\\.-]+@[\\w\\.-]+):([\\w\\$\\./]{8,})" | |
| - "(\\$[0-9]\\$[\\w\\./]{50,})" | |
| group: 0 | |
| - method: GET | |
| path: | |
| # Log Files with Potential Credential Leaks | |
| - "{{BaseURL}}/error.log" | |
| - "{{BaseURL}}/access.log" | |
| - "{{BaseURL}}/debug.log" | |
| - "{{BaseURL}}/application.log" | |
| - "{{BaseURL}}/php_errors.log" | |
| - "{{BaseURL}}/error_log" | |
| - "{{BaseURL}}/logs/error.log" | |
| - "{{BaseURL}}/logs/application.log" | |
| - "{{BaseURL}}/var/log/apache2/error.log" | |
| - "{{BaseURL}}/storage/logs/laravel.log" | |
| - "{{BaseURL}}/wp-content/debug.log" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "password=" | |
| - "api_key=" | |
| - "token=" | |
| - "secret=" | |
| - "auth=" | |
| - "key=" | |
| - "username=" | |
| - "login=" | |
| - "passwd=" | |
| - "ERROR" | |
| - "FATAL" | |
| - "Exception" | |
| - "Stack trace" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)(password|api_key|token|secret|auth|key)[=:]['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?" | |
| - "(?i)(username|login|user)[=:]['\"]?([\\w\\.-]+@[\\w\\.-]+|[\\w\\.-]{3,})['\"]?" | |
| group: 2 | |
| - method: GET | |
| path: | |
| # CI/CD Files with Secrets | |
| - "{{BaseURL}}/.travis.yml" | |
| - "{{BaseURL}}/.gitlab-ci.yml" | |
| - "{{BaseURL}}/.circleci/config.yml" | |
| - "{{BaseURL}}/azure-pipelines.yml" | |
| - "{{BaseURL}}/bitbucket-pipelines.yml" | |
| - "{{BaseURL}}/.drone.yml" | |
| - "{{BaseURL}}/.github/workflows/ci.yml" | |
| - "{{BaseURL}}/.github/workflows/deploy.yml" | |
| - "{{BaseURL}}/Jenkinsfile" | |
| headers: | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 | |
| matchers-condition: and | |
| matchers: | |
| - type: status | |
| status: | |
| - 200 | |
| - type: word | |
| words: | |
| - "password:" | |
| - "token:" | |
| - "secret:" | |
| - "key:" | |
| - "api_key:" | |
| - "access_token:" | |
| - "secure:" | |
| - "encrypted:" | |
| - "env:" | |
| - "environment:" | |
| - "variables:" | |
| condition: or | |
| case-insensitive: true | |
| - type: word | |
| words: | |
| - "<html" | |
| - "<head" | |
| - "<title" | |
| - "<body" | |
| - "<div" | |
| condition: or | |
| negative: true | |
| extractors: | |
| - type: regex | |
| part: body | |
| regex: | |
| - "(?i)(password|token|secret|key|api_key|access_token):[\\s]*['\"]?([\\w\\-@#$%^&*()+=]{8,})['\"]?" | |
| group: 2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment