Company email password
Description#
General#
The company email password detector aims at catching any pair of company email/password containing a sensitive email that could endanger a company's security.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications#
The two components of the couple that the detector catches are referred as username and password, and should be at a reasonable distance from each other inside a document to be flagged.
This detector will only flag the closest couple of matches.
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For both matches:
- Must be an assigned value, namely of the form
{assigned_variable} {assignment_token} {value}, where{assigned_variable}is eitherusername,password, or other similar strings.
username:
- The document must contain the string
emailoruser(see whitelist hereunder). - Caught emails must be company related to be sensitive. Therefore, common personal email providers are banned such as
gmail.comor non-sensitive aliases such asno_replyaddresses (see banlist hereunder).
password:
- The document must contain the string
pass(see whitelist hereunder). - Set of rules to filter irrelevant passwords such as
passwordor when the password is an url, date, or file name (see banlist hereunder).
Revoke the secret#
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples#
Examples that WILL be caught
- text: | email=some.french.name@gitguardian.com password=abuaoentsubaoeub24234$@3! username: some.french.name@gitguardian.com password: abuaoentsubaoeub24234$@3!
- text: | user=whatever@gitguardian.com pass=th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlth username: whatever@gitguardian.com password: th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlthExamples that WILL NOT be caught
- The email address is not sensitive (gmail.com).
- text: | email=some.french.name@gmail.com password=abuaoentsubaoeub24234$@3!- The password is an url.
- text: | user=whatever@gitguardian.com pass=www.google.comDetails for Company email password#
High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 190
Prefixed: False
- type: FilenameBanlistPreValidator banlist_extensions: ["gzip"] banlist_filenames: ["(?i:fixture)", "(?i:test)", "(?i:seed)"] check_binaries: False- type: ContentWhitelistPreValidator patterns: - email - user- type: ContentWhitelistPreValidator patterns: - passpassword: - type: CommonValueBanlistPostValidator - type: CommonPasswordBanlistPostValidator - type: ValueBanlistPostValidator patterns: - ^none - ^null - ^empty - ^user - pass - senha # password in portuguese - ^root - ^admin - ^true - ^and - ^prompt - ^final$ - ^string$ - ^self - ^email - ^raw - ^your - ^new$ - ^temp$ - ^function$ - ^undefined$ - ^auth_email$ - ^false$ - ^request$ - test - ^req$ - "1234" - ^# - ^vault - ^value$ - ^java - ^ansible - ^demo - "123213123" - ^guest - ^visit$ - ^coffee123$ - ^123bla456bla$ - ^description$ - '^\$(1|2|sha1|5|6|2(a|b|x|y))\$[0-9]{1,2}\$' # https://en.wikipedia.org/wiki/Bcrypt - '^pbkdf2_sha256\$' # hashed password - "^aqaaaaeaaccqaaaae" # hashed password - ^DateTime$ - ^CompanyEmail$ - ^string - ^equalTo$ - ^Content-Type$ - ^Role\.User$ - ^e\.target\.value$ - ^temp@123$ - \.find_element_by_css$ - ^process\.env\. - ^get\-content$ - ^encodingutils\.sha256 - '\*{7}' - ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$ - ^[^a-z0-9]+$ - type: EntropyPostValidator entropy: 1 - type: HeuristicPostValidator filters: - url - date - file_name - type: DictFilterPostValidator threshold_words_pct_matched: 1 - type: ContextWindowBanlistPostValidator patterns: [ "passenger", "pgadmin", "mango", "redis", "postgres", "hash", "crypt", "passed:", ] window_width: 25 window_type: "left" - type: AssignmentBanlistPostValidator patterns: - ^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$ - salt
username: - type: EmailDomainBanlistPostValidator additionnal_banned_domains: # non-exhaustive list of email provider and their domains # google - gmail.com # microsoft - outlook.com - outlook.fr - hotmail.fr - hotmail.ca - hotmail.de - hotmail.gr - hotmail.com - hotmail.co.uk - outlook.com.tr - outlook.com.br - live.fr - live.in - live.dk - live.de - live.cn - live.com - live.co.uk - live.com.ar - live.com.mx - live.com.ar - live.com.pt - msn.com # yahoo - yahoo.com - yahoo.fr - yahoo.es - yahoo.it - yahoo.co.uk - yahoo.co.jp - yahoo.com.tw - yahoo.com.br - yahoo.com.hk - ymail.com - rocketmail.com # chinese email provider - qq.com - 163.com - 126.com # apple - me.com - icloud.com # yandex - yandex.ru - yandex.com # GMX - gmx.com - gmx.fr - gmx.us - caramail.fr - caramail.com # disposable mail - yopmail.com - mailinator.com # others - orange.fr - mail.com - mail.ru - naver.com - aol.com - protonmail.com - foxmail.com - chmail.ir # test domain - something.com - abc.com - pgadmin.org - emailaccount.com - person.com
- type: CommonValueBanlistPostValidator - type: ValueBanlistPostValidator patterns: - ^none - ^null - ^empty - ^user - ^pass - ^root - ^admin - ^true - ^and - ^prompt - '@\.*local' - ^self - ^email - ^raw - ^your - ^random - ^info - ^bla - ^support - ^vault - test - sample - dummy - no[_.-]reply - ghost - abcdef - noaddressemail - noreply - contact-email - fake - ^xxx - ^wolf@thedoor.com$ - ^company@company.com$ - ^john@doe - ^temp@temp - ^google@google - ^foo@ - ^ex[ae]mpl - ^me@ - ^foo@bar - ^abc@ - \.demo$ - \.abc$ - \.za$ - \.baz$ - \.nya$ - \.tld$