Skip to main content

Basic auth string

Description#

General#

The Basic authentication string detector aims at catching any triplet of host/username/password concatenated used for HTTP authentication.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications#

As defined in RFC 2617 documentation, HTTP Basic Authentication is a way to authenticate by providing a username and a password when making a request to a service exposed by an host. These credentials can be encoded in the headers of the query, but they can also appear as plain text in a URI. This detector focuses on this latter case.

To do so, the basic authentication string detector starts by identifying documents that contain the string https?:// and that satisfy some filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.

For this detector, host, username, and password must follow a specific set of rules to be considered as sensitive and therefore valid (the detector can also detect a specific port attached to the host if one exist):

host:

  • Set of rules to filter irrelevant host names such as api.example.com or the common host banlist identified by GitGuardians (see banlist hereunder).

username:

  • Set of rules to filter common usernames banned such as test-user or foo (see banlist hereunder).

password:

  • Set of rules to filter irrelevant passwords such as password or test (see banlist hereunder).

port (optional)

  • If Basic authentication string detector detects a port on the host, the value is added to the list of matches.

Revoke the secret#

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples#

Examples that WILL be caught

- text: >    http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
  username: 43f6017361224d098402974103bfc53d  password: a6a0538fc2934ba2bed32e08741b2cd3  host: my.host.live.something.com  port: "9000"- text: >    http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com/1
  username: 43f6017361224d098402974103bfc53d  password: a6a0538fc2934ba2bed32e08741b2cd3  host: my.host.live.something.com

Examples that WILL NOT be caught

  • Host name is not sensitive.
- text: >    http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@api.parse.com:9000/1
  • Username is not sensitive.
- text: >    http://test-user:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
  • Password is not sensitive.
- text: >    http://43f6017361224d098402974103bfc53d:password@my.host.live.something.com:9000/1

Details for Basic auth string#

  • High Recall: True

  • Validity Check: False

  • Minimum Number of Matches: 3

  • Occurrences found for one million commits: 87

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:    - css    - storyboard    - xib  banlist_filenames:    - node_modules(/|\\)    - vendors?(/|\\)    - top-1000\.txt$    - \.sops$    - \.sops\.yaml$  check_binaries: false- type: ContentWhitelistPreValidator  patterns:    - https?://
host:  - type: CommonHostBanlistPostValidator  - type: ValueBanlistPostValidator    patterns: ["api.parse.com", "host.xz"]
password:  - type: CommonPasswordBanlistPostValidator  - type: ValueBanlistPostValidator    patterns:      - \.env      - env[. ]      - str\(      - \.getenv\(      - \+[^+(\d]+?\+      - \{[^}(\d]+?\}      - token      - test-pass      - "123456"      - adminpwd      - mypass  - type: MinimumLengthPostValidator    length: 4
username:  - type: CommonUsernameBanlistPostValidator  - type: ValueBanlistPostValidator    patterns: ["mailto", "login", "test-user", "admin2", "demo", "myuser"]  - type: MinimumLengthPostValidator    length: 4