A 3 step process to finding and reporting critical secrets :

🧵👇
1️⃣ Find secrets :

➡ Look into source control like Github, gitlab etc

Use github dorks for more directed searches. Like https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
github-dorks/github-dorks.txt at master · techgaun/github-dorks

Find leaked secrets via github search. Contribute to techgaun/github-dorks development by creating an account on GitHub.

https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
➡ Search for secrets in commit history and full organisation by trufflehog : https://github.com/trufflesecurity/trufflehog
GitHub - trufflesecurity/trufflehog: Find credentials all over the place

Find credentials all over the place. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.

https://github.com/trufflesecurity/trufflehog
➡ Try finding sonarqube or Jenkins instances. Use #shodan for that. Check my previous thread for some ideas around it 😃 : https://twitter.com/AseemShrey/status/1508059759491964928
Here's how I found one : https://aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
Mind your Logs : How a build log from a Jenkins leaked everything

How much can an inconspicuous Jenkins log leak ? — Everything

https://aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
➡ Look into website's javascript files. Here's a writeup around the same : https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
One Token to leak them all : The story of a $8000 NPM_TOKEN

Not long ago, I started a youtube channel, HackingSimplified.

https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
2️⃣ Verify those secrets :

➡ After you've found some secrets it's time to verify those. For each individual key look here : https://github.com/streaak/keyhacks

You can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well 😃
GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked...

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. - GitHub - streaak/keyhacks: Keyhacks is a repositor...

https://github.com/streaak/keyhacks
3️⃣ Report 💰

➡ Find the company's program on #hackerone or #bugcrowd or their own bug bounty page.

➡ If nothing like that exists, use connectbit to find contacts

➡ If even that doesn't help, check people on Linkedin or Twitter for that org
🅱🅾🅽🆄🆂

Here's a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature

Go on and check the video here : 📹 🚀
You can read the unrolled version of this thread here: https://typefully.com/AseemShrey/s7zla3t
Finding and exploiting secrets | Aseem Shrey

A 3 step process to finding and reporting critical secrets : 🧵👇

https://typefully.com/AseemShrey/s7zla3t
You can follow @AseemShrey.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more