Catch Azure SAS tokens in URLs?

Question

Catch Azure SAS tokens in URLs?

colindean opened this issue a year ago · 2 comments

On the heels of this wild news about Microsoft leaking 38 TB of data because of a committed SAS token, maybe ripsecrets could audit for that, too.

https://learn.microsoft.com/en-us/azure/ai-services/translator/document-translation/how-to-guides/create-sas-tokens?tabs=Containers

Here are some examples from that doc:

{
    "inputs": [
        {
            "storageType": "File",
            "source": {
                "sourceUrl": "https://my.blob.core.windows.net/source-en/source-english.docx?sv=2019-12-12&st=2021-01-26T18%3A30%3A20Z&se=2021-02-05T18%3A30%3A00Z&sr=c&sp=rl&sig=d7PZKyQsIeE6xb%2B1M4Yb56I%2FEEKoNIF65D%2Fs0IFsYcE%3D"
            },
            "targets": [
                {
                    "targetUrl": "https://my.blob.core.windows.net/target/try/Target-Spanish.docx?sv=2019-12-12&st=2021-01-26T18%3A31%3A11Z&se=2021-02-05T18%3A31%3A00Z&sr=c&sp=wl&sig=AgddSzXLXwHKpGHr7wALt2DGQJHCzNFF%2F3L94JHAWZM%3D",
                    "language": "es"
                },
                {
                    "targetUrl": "https://my.blob.core.windows.net/target/try/Target-German.docx?sv=2019-12-12&st=2021-01-26T18%3A31%3A11Z&se=2021-02-05T18%3A31%3A00Z&sr=c&sp=wl&sig=AgddSzXLXwHKpGHr7wALt2DGQJHCzNFF%2F3L94JHAWZM%3D",
                    "language": "de"
                }
            ]
        }
    ]
}

Looks like the presence of sv with an ISO date and sig query params, and sig is base64 encoded.

Adding these URLs to the end of test/one_per_line/azure reflects that ripsecrets doesn't already catch them.

Answer 1 · 2023-09-19T02:45:18.000Z

Some more resources:

https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas#specify-the-access-policy

https://adamtheautomator.com/azure-sas-token/

https://improvado.io/docs/how-to-generate-an-azure-sas-token

I think the challenge here is that it's effectively a set of URL query parameters and they could be in any order.

It looks like from the screenshots I'm seeing of tokens and tables that there are

sv ss srt sp se sr st spr sig

query parameters, and these are required:

sv sig

and some others that may be required:

se sp sr

It seems like it might be OK to look for core.windows.net on the same line but that then binds tightly to the public Azure storage…

Answer 2 · 2023-09-19T04:46:10.000Z

I think this one is tricky since the researchers intended to share the link, they just messed up the privileges on the link that they shared. There are tools that can try to detect this, but they're what I'd call "active scanners", meaning they actually reach out and try to make requests to the URLs and try to determine if they're over-provisioned. However ripsecrets is intentionally not an active scanner since that opens up a huge surface area of potentially vulnerabilities that just haven't yet been exploited in other secret scanning tools :-)