A 3 step process to finding and reporting critical secrets :

https://abs.twimg.com/emoji/v2/... draggable="false" alt="🧵" title="collectie" aria-label="Emoji: collectie">https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Rug van hand met omlaag wijzende wijsvinger" aria-label="Emoji: Rug van hand met omlaag wijzende wijsvinger">
https://abs.twimg.com/emoji/v2/... draggable="false" alt="1️⃣" title="Nummertoets een" aria-label="Emoji: Nummertoets een"> Find secrets :

https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> Look into source control like Github, gitlab etc

Use github dorks for more directed searches. Like https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt">https://github.com/techgaun/...
github-dorks/github-dorks.txt at master · techgaun/github-dorks

Find leaked secrets via github search. Contribute to techgaun/github-dorks development by creating an account on GitHub.

https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt
https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> Search for secrets in commit history and full organisation by trufflehog : https://github.com/trufflesecurity/trufflehog">https://github.com/trufflese...
GitHub - trufflesecurity/trufflehog: Find credentials all over the place

Find credentials all over the place. Contribute to trufflesecurity/trufflehog development by creating an account on GitHub.

https://github.com/trufflesecurity/trufflehog
https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> Try finding sonarqube or Jenkins instances. Use #shodan for that. Check my previous thread for some ideas around it https://abs.twimg.com/emoji/v2/... draggable="false" alt="😃" title="Lachend gezicht met open mond" aria-label="Emoji: Lachend gezicht met open mond"> : https://twitter.com/AseemShrey/status/1508059759491964928">https://twitter.com/AseemShre...
Here& #39;s how I found one : https://aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85">https://aseem-shrey.medium.com/mind-your...
Mind your Logs : How a build log from a Jenkins leaked everything

How much can an inconspicuous Jenkins log leak ? — Everything

https://aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> Look into website& #39;s javascript files. Here& #39;s a writeup around the same : https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3">https://infosecwriteups.com/one-token...
One Token to leak them all : The story of a $8000 NPM_TOKEN

Not long ago, I started a youtube channel, HackingSimplified.

https://infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
https://abs.twimg.com/emoji/v2/... draggable="false" alt="2️⃣" title="Nummertoets twee" aria-label="Emoji: Nummertoets twee"> Verify those secrets :

https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> After you& #39;ve found some secrets it& #39;s time to verify those. For each individual key look here : https://github.com/streaak/keyhacks

You">https://github.com/streaak/k... can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well https://abs.twimg.com/emoji/v2/... draggable="false" alt="😃" title="Lachend gezicht met open mond" aria-label="Emoji: Lachend gezicht met open mond">
GitHub - streaak/keyhacks: Keyhacks is a repository which shows quick ways in which API keys leaked...

Keyhacks is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid. - GitHub - streaak/keyhacks: Keyhacks is a repositor...

https://github.com/streaak/keyhacks
https://abs.twimg.com/emoji/v2/... draggable="false" alt="3️⃣" title="Nummertoets drie" aria-label="Emoji: Nummertoets drie"> Report https://abs.twimg.com/emoji/v2/... draggable="false" alt="💰" title="Geldzak" aria-label="Emoji: Geldzak">

https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> Find the company& #39;s program on #hackerone or #bugcrowd or their own bug bounty page.

https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> If nothing like that exists, use connectbit to find contacts

https://abs.twimg.com/emoji/v2/... draggable="false" alt="➡" title="Pijl naar rechts" aria-label="Emoji: Pijl naar rechts"> If even that doesn& #39;t help, check people on Linkedin or Twitter for that org
https://abs.twimg.com/emoji/v2/... draggable="false" alt="🅱" title="Negatief vierkant Latijnse hoofdletter b" aria-label="Emoji: Negatief vierkant Latijnse hoofdletter b">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🅾" title="Negatief vierkant Latijnse hoofdletter o" aria-label="Emoji: Negatief vierkant Latijnse hoofdletter o">🅽🆄🆂

Here& #39;s a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature

Go on and check the video here : https://www.youtube.com/watch?v=iqC-hEd3hkE">https://www.youtube.com/watch... https://abs.twimg.com/emoji/v2/... draggable="false" alt="📹" title="Videocamera" aria-label="Emoji: Videocamera"> https://abs.twimg.com/emoji/v2/... draggable="false" alt="🚀" title="Raket" aria-label="Emoji: Raket">
You can read the unrolled version of this thread here: https://typefully.com/AseemShrey/s7zla3t">https://typefully.com/AseemShre...
Finding and exploiting secrets | Aseem Shrey

A 3 step process to finding and reporting critical secrets : 🧵👇

https://typefully.com/AseemShrey/s7zla3t
You can follow @AseemShrey.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more