Files
sif/modules/recon/git-credentials-exposure.yaml
T
Tigah 355df83b59 feat(modules): add private key, git and pypi secret exposure modules (#205)
modules/recon/private-key-exposure.yaml flags an exposed PEM private key on
the BEGIN PRIVATE KEY marker, so a public key or prose that merely names a key
is left alone, then extracts the key type.

modules/recon/git-credentials-exposure.yaml flags an exposed git credential
store on a remote url that carries an inline password, paired with a guard
that drops a url shown inside an html page, then extracts the host the
credential reaches.

modules/recon/pypirc-exposure.yaml flags an exposed pypirc on an index section
paired with a credential field, then extracts the pypi upload token. requiring
the credential keeps a bare index listing from being reported.

internal/modules/secret_file_exposure_test.go drives the three modules end to
end through ExecuteHTTPModule and asserts the leak alongside the near misses a
strict review wants pinned: a public key, prose that names a key, a remote url
with no password, a pypi section with no credential, a credential shown in an
html page, a plain 200 body and a 404, none of which may match.

verify: go test ./internal/modules, each matcher, marker, guard and extractor
proven to bite (break -> red, restore -> green).
2026-06-22 17:10:45 -07:00

48 lines
946 B
YAML

# Git Credentials Exposure Detection Module
id: git-credentials-exposure
info:
name: Git Credentials Exposure
author: sif
severity: high
description: Detects an exposed git credential store that leaks tokens embedded in remote urls
tags: [git, credentials, token, secret, exposure, recon]
type: http
http:
method: GET
paths:
- "{{BaseURL}}/.git-credentials"
- "{{BaseURL}}/.git/credentials"
matchers:
- type: status
status:
- 200
- type: regex
part: body
regex:
- 'https?://[^:/@\s]+:[^@/\s]+@[A-Za-z0-9._-]+'
- type: word
part: body
negative: true
condition: or
words:
- "<!DOCTYPE"
- "<!doctype"
- "<html"
- "<HTML"
- "<head>"
- "<title>"
extractors:
- type: regex
name: git_host
part: body
regex:
- 'https?://[^:/@\s]+:[^@/\s]+@([A-Za-z0-9._-]+)'
group: 1