mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-03 19:34:53 -07:00
355df83b59
modules/recon/private-key-exposure.yaml flags an exposed PEM private key on the BEGIN PRIVATE KEY marker, so a public key or prose that merely names a key is left alone, then extracts the key type. modules/recon/git-credentials-exposure.yaml flags an exposed git credential store on a remote url that carries an inline password, paired with a guard that drops a url shown inside an html page, then extracts the host the credential reaches. modules/recon/pypirc-exposure.yaml flags an exposed pypirc on an index section paired with a credential field, then extracts the pypi upload token. requiring the credential keeps a bare index listing from being reported. internal/modules/secret_file_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a public key, prose that names a key, a remote url with no password, a pypi section with no credential, a credential shown in an html page, a plain 200 body and a 404, none of which may match. verify: go test ./internal/modules, each matcher, marker, guard and extractor proven to bite (break -> red, restore -> green).
48 lines
946 B
YAML
48 lines
946 B
YAML
# Git Credentials Exposure Detection Module
|
|
|
|
id: git-credentials-exposure
|
|
info:
|
|
name: Git Credentials Exposure
|
|
author: sif
|
|
severity: high
|
|
description: Detects an exposed git credential store that leaks tokens embedded in remote urls
|
|
tags: [git, credentials, token, secret, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/.git-credentials"
|
|
- "{{BaseURL}}/.git/credentials"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- 'https?://[^:/@\s]+:[^@/\s]+@[A-Za-z0-9._-]+'
|
|
|
|
- type: word
|
|
part: body
|
|
negative: true
|
|
condition: or
|
|
words:
|
|
- "<!DOCTYPE"
|
|
- "<!doctype"
|
|
- "<html"
|
|
- "<HTML"
|
|
- "<head>"
|
|
- "<title>"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: git_host
|
|
part: body
|
|
regex:
|
|
- 'https?://[^:/@\s]+:[^@/\s]+@([A-Za-z0-9._-]+)'
|
|
group: 1
|