create a secrets detection testbed branch with revoked credentials
commjoen opened this issue · 3 comments
commjoen commented
Steps to take:
- List secrets present in this issue
- Create a link to this issue in the web interface #250
- Implement keys below in a separate branch with a script to generate a container from it which can be scanned
- Add master merging script for the .github/scripts/docker-create-and-push.sh
Keys that can be added:
- Azure
- AWS
- GCP
- Git credentials :SSH key
- Git credentials: developer token
- private key RSA key & private ECC key
- GPG keychain (armored and notarmored)
- AES keys
- Slack callback
- kubeconfig
- QR-code (will be hard to represent a secret which is detactable other than through entropy,skipping it)
- BasicAuth
- gradle credentials
- mvn credentials
- NPM
- Firebase push notification keys (android/ios)
- OTP Seed
- segment.io access keys
- Vault root token & unseal keys
- Any JWT Token
- Gitlab PAT
- Gpg armoured export private and public keys
- Azure devops access token
- onepassword emergency kit, 1password-credentials.json and accesstokens
- keybase paperkey
- IBM-cloud?
- Nomad credentials (wait till #299 happens)
- Spring boot Session token
- Slack access tokens:bottoken & usertoken, applevel token & config token (requested..pending)
- Braze API-keys (requested)
- Lastpass integration/api-key
- Confidant key
- Docker hub access token
- Vagrant cloud access token
- confluence/jira secrets
- AWS instance profile
- add dockerconfig (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
- secrets above with encodings (base64, Hex encoding)
- Database connection strings
- OIDC token
which other secret would you like to add? please comment
commjoen commented
Current secrets stored in the repo/docker/k8s/cloud:
- 5 Random human rememberable passwords in Git & Docker container
- 1 file containing a secret base64 encoded in Docker
- 1 random passwords in Java code with higher entropy (not used)
- 3 AWS keypairs in git history
- 3 secrets in TF state (requires cloud installation)
- 1 human readable secret in k8s/secret, 1 in k8s/configmap (requires k8s/cloud installation)
- 1 root token for vault after deployment of vault(requires vault&k8s/cloud installation)
- 1 root token and unseal keys comitted (
git show 6c4715c) - 1 random value generated after startup
- 1 secret in github action
- 1 AES key
- multiple ciphertexts (6)
- 1 human readable secret in pw manager file(keepass)
- 5 canarytoken-urls in container&code
- multiple secrets in java testing code (of which some used in the actual app)
- secrets in cross-compiled C binaries (2 secrets/binary for 3 binaries)
- 1 client credential
- 2 weak password hashes (md5/sha1)
- 3 hardcoded passwords in binaries (C/C++/Golang)
In https://github.com/commjoen/wrongsecrets/tree/experiment-bed :
- 1 Azure dotifle
- 1 Azure Devops access token
- 1 AES key
- 1 basic auth enriched curl script
- 1 Callback url for Slack (invalidated)
- 1 Docker hub access token
- 1 ECC keypair
- 1 Firebase project config
- 1 gCP service account access key export (blocked/disabled)
- github dev token (revoked)
- gitlab access/email/feed tokens (revoked)
- github access key(ssh)/1 SSH key pair (RSA-4096)
- 1 gpg armored gpg exported private/public key
- 1 gpg binary private/secret keyring
- 1 kubeconfig (canarytoken)
- jwt.io generated jwt token with rs256 required keys
- Keybase paperkey
- Maven and Gradle auth setup (not working)
- NPM credentials (not working)
- 1 OTP seed
- 1 1Password emergency kit, JWT, and credentials file
- 1RSA keypair
- segment.io token
- 1 Slack callback
- 1 Vagrant access token
- 2 slack tokens
commjoen commented
@bendehaan , what would be a good place to dump the other secrets for benchmarking? i guess we have to spread it a bit...
commjoen commented
Asked Slack via twitter for possible canarytokens...