Skip to main content

Bearer token

Description#

General#

The bearer token detector aims at catching any token used for access in authentication methods such as OAuth 2.0.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.

Specifications#

As defined in RFC 6750 documentation , Bearer authentication is a common HTTP authentication method. A Bearer token is usually attributed to a user after a successful login request to a server. The user then sends this token in requests headers to authenticate himself and to access some resources. This detector aims at catching Bearer tokens.

To do so, the bearer token detector starts by identifying documents that contain the string bearer and that satisfy GitGuardian's default filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.

For this detector, the token must follow a specific set of rules to be considered as sensitive and therefore valid:

token

  • Caught token must be sensitive. Therefore, common values such as token or test are banned (see banlist hereunder)
  • Check that the token is not used for private or test domains. The detector looks around the token caught to see if a private/test hostname is detected such as example.com or IP addresses starting with 127.

Revoke the secret#

This detector catches generic bearer tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the token :

  1. Understand what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the token.

Examples#

Examples that WILL be caught

- text: |    headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}  token: aoekthaoexukatoehsxkth8324AOX

Examples that WILL NOT be caught

  • The string bearer is not present in the document.
- text: |    headers = {"Authorization": "aoekthaoexukatoehsxkth8324AOX"}
  • The token caught is a test token.
- text: |    headers = {"Authorization": "Bearer test"}
  • A private IP is around the caught token.
- text: |    url = "127.0.0.0"    headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}

Details for Bearer token#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 194

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:    - html    - css    - md    - lock    - storyboard    - xib  banlist_filenames:    - node_modules(/|\\)    - vendors?(/|\\)    - top-1000\.txt$    - \.sops$    - \.sops\.yaml$  check_binaries: false- type: ContentWhitelistPreValidator  patterns:    - bearer
- type: ValueBanlistPostValidator  patterns:    - authentication    - token    - test    - '^(x+|y+|z+)\.(x+|y+|z+)\.(x+|y+|z+)'    - "(abc){3}"    - "000000"    - '\.\.\.$'    - "123456"- type: EntropyPostValidator  entropy: 3- type: ContextWindowBanlistPostValidator  window_width: 200  patterns:    - local    - 127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}    - 10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}    - 172\.1[6-9]\.[0-9]{1,3}\.[0-9]{1,3}    - 172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}    - 172\.3[0-1]\.[0-9]{1,3}\.[0-9]{1,3}    - 192\.168\.[0-9]{1,3}\.[0-9]{1,3}    - mydns\.net    - example\.(com|net)    - api\.a\.com- type: DictFilterPostValidator  min_word_length: 3  threshold_words_pct_matched: 0.6