Basic auth string
Description#
General#
The Basic authentication string detector aims at catching any triplet of host/username/password concatenated used for HTTP authentication.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications#
As defined in RFC 2617 documentation, HTTP Basic Authentication is a way to authenticate by providing a username and a password when making a request to a service exposed by an host. These credentials can be encoded in the headers of the query, but they can also appear as plain text in a URI. This detector focuses on this latter case.
To do so, the basic authentication string detector starts by identifying documents that matches the https?:// regular expression and that satisfy some filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.
For this detector, host, username, and password must follow a specific set of rules to be considered as sensitive and therefore valid (the detector can also detect a specific port attached to the host if one exist):
host:
- Set of rules to filter irrelevant host names such as
api.example.comor the common host banlist identified by GitGuardian (see banlist hereunder).
username:
- Set of rules to filter common usernames banned such as
test-userorfoo(see banlist hereunder).
password:
- Set of rules to filter irrelevant passwords such as
passwordortest(see banlist hereunder).
port (optional)
- If Basic authentication string detector detects a port on the host, the value is added to the list of matches.
Revoke the secret#
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples#
Examples that WILL be caught
- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
username: 43f6017361224d098402974103bfc53d password: a6a0538fc2934ba2bed32e08741b2cd3 host: my.host.live.something.com port: "9000"- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com/1
username: 43f6017361224d098402974103bfc53d password: a6a0538fc2934ba2bed32e08741b2cd3 host: my.host.live.something.comExamples that WILL NOT be caught
- Host name is not sensitive.
- text: > http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@api.parse.com:9000/1- Username is not sensitive.
- text: > http://test-user:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1- Password is not sensitive.
- text: > http://43f6017361224d098402974103bfc53d:password@my.host.live.something.com:9000/1Details for Basic auth string#
High Recall: True
Validity Check: False
Minimum Number of Matches: 3
Occurrences found for one million commits: 87
Prefixed: True
- type: FilenameBanlistPreValidator banlist_extensions: - css - storyboard - xib banlist_filenames: - node_modules(/|\\) - vendors?(/|\\) - top-1000\.txt$ - \.sops$ - \.sops\.yaml$ check_binaries: false- type: ContentWhitelistPreValidator patterns: - https?://host: - type: CommonHostBanlistPostValidator - type: ValueBanlistPostValidator patterns: ["api.parse.com", "host.xz"]
password: - type: CommonPasswordBanlistPostValidator - type: ValueBanlistPostValidator patterns: - \.env - env[. ] - str\( - \.getenv\( - \+[^+(\d]+?\+ - \{[^}(\d]+?\} - token - test-pass - "123456" - adminpwd - mypass - type: MinimumLengthPostValidator length: 4
username: - type: CommonUsernameBanlistPostValidator - type: ValueBanlistPostValidator patterns: ["mailto", "login", "test-user", "admin2", "demo", "myuser"] - type: MinimumLengthPostValidator length: 4