Basic auth string
#
Description#
GeneralThe Basic authentication string detector
aims at catching any triplet of host/username/password concatenated used for HTTP authentication.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
#
SpecificationsAs defined in RFC 2617 documentation, HTTP Basic Authentication is a way to authenticate by providing a username
and a password
when making a request to a service exposed by an host
. These credentials can be encoded in the headers of the query, but they can also appear as plain text in a URI. This detector focuses on this latter case.
To do so, the basic authentication string
detector starts by identifying documents that matches the https?://
regular expression and that satisfy some filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.
For this detector, host
, username
, and password
must follow a specific set of rules to be considered as sensitive and therefore valid (the detector can also detect a specific port
attached to the host
if one exist):
host:
- Set of rules to filter irrelevant host names such as
api.example.com
or the common host banlist identified by GitGuardian (see banlist hereunder).
username:
- Set of rules to filter common usernames banned such as
test-user
orfoo
(see banlist hereunder).
password:
- Set of rules to filter irrelevant passwords such as
password
ortest
(see banlist hereunder).
port (optional)
- If Basic authentication string detector detects a port on the host, the value is added to the list of matches.
#
Revoke the secretThis detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
#
ExamplesExamples that WILL be caught
- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
username: 43f6017361224d098402974103bfc53d password: a6a0538fc2934ba2bed32e08741b2cd3 host: my.host.live.something.com port: "9000"- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com/1
username: 43f6017361224d098402974103bfc53d password: a6a0538fc2934ba2bed32e08741b2cd3 host: my.host.live.something.com
Examples that WILL NOT be caught
- Host name is not sensitive.
- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@api.parse.com:9000/1
- Username is not sensitive.
- text: > http://test-user:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
- Password is not sensitive.
- text: > http://43f6017361224d098402974103bfc53d:password@my.host.live.something.com:9000/1
Basic auth string
#
Details for High Recall: True
Validity Check: False
Minimum Number of Matches: 3
Occurrences found for one million commits: 87
Prefixed: True
- type: FilenameBanlistPreValidator banlist_extensions: - css - storyboard - xib banlist_filenames: - node_modules(/|\\) - vendors?(/|\\) - top-1000\.txt$ - \.sops$ - \.sops\.yaml$ check_binaries: false- type: ContentWhitelistPreValidator patterns: - https?://
host: - type: CommonHostBanlistPostValidator - type: ValueBanlistPostValidator patterns: ["api.parse.com", "host.xz"]
password: - type: CommonPasswordBanlistPostValidator - type: ValueBanlistPostValidator patterns: - \.env - env[. ] - str\( - \.getenv\( - \+[^+(\d]+?\+ - \{[^}(\d]+?\} - token - test-pass - "123456" - adminpwd - mypass - type: MinimumLengthPostValidator length: 4
username: - type: CommonUsernameBanlistPostValidator - type: ValueBanlistPostValidator patterns: ["mailto", "login", "test-user", "admin2", "demo", "myuser"] - type: MinimumLengthPostValidator length: 4