A 3 step process to finding and reporting critical secrets :
Find secrets :
Look into source control like Github, gitlab etc
Use github dorks for more directed searches. Like https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
Look into source control like Github, gitlab etc
Use github dorks for more directed searches. Like https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
Search for secrets in commit history and full organisation by trufflehog : https://github.com/trufflesecurity/trufflehog
Try finding sonarqube or Jenkins instances. Use #shodan for that. Check my previous thread for some ideas around it : https://twitter.com/AseemShrey/status/1508059759491964928
Here's how I found one : https://aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
Look into website's javascript files. Here's a writeup around the same : https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
Verify those secrets :
After you've found some secrets it's time to verify those. For each individual key look here : https://github.com/streaak/keyhacks
You can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well
After you've found some secrets it's time to verify those. For each individual key look here : https://github.com/streaak/keyhacks
You can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well
Report
Find the company's program on #hackerone or #bugcrowd or their own bug bounty page.
If nothing like that exists, use connectbit to find contacts
If even that doesn't help, check people on Linkedin or Twitter for that org
Find the company's program on #hackerone or #bugcrowd or their own bug bounty page.
If nothing like that exists, use connectbit to find contacts
If even that doesn't help, check people on Linkedin or Twitter for that org
🅽🆄🆂
Here's a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature
Go on and check the video here :
Here's a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature
Go on and check the video here :
You can read the unrolled version of this thread here: https://typefully.com/AseemShrey/s7zla3t