Skip to main content

PostgreSQL Credentials

Description#

General#

  • Documentation: https://www.postgresql.org/docs/13/index.html
  • Summary: PostgreSQL is an open source relational database management system. This detector catches PostgreSQL credentials in the form of a URI connection string, in a CLI command or stored in a pgpass file.
  • IPs allowlist: IPs allowlisting can be enforced on the server side.
  • Scopes: PostgreSQL supports a role based access, and thus different level of access can be granted to different users.

Revoke the secret#

A variety of PostgreSQL command are useful to change a user's role, password or even to drop the concerned user. This documentation page can be a good starting point to get more information on the topics.

Check for suspicious activity#

Auditing PostgreSQL logs can provide information about any suspicious activity on the database.

Details for Postgres assignment#

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 4

  • Occurrences found for one million commits: 40.85

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - postgre  - pgsql  - psql

Examples#

- text: >    docker run --name geonetwork -d -p 8080:8080 -e PG_HOST=google.com -e PG_PORT=5434 -e PG_USERNAME=postgres -e PG_PASSWORD=m42ploz2wd geonetwork  host: google.com  port: "5434"  username: postgres  password: m42ploz2wd
- text: >    Assignement    dbusername = doadmin    dbpassword = vg498hwegw1udp6s    dbhost = db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com    dbport = 25060    dbdatabase = defaultdb    dbsslmode = require  username: doadmin  password: vg498hwegw1udp6s  host: db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com  port: "25060"
- text: >    server.port=5433    spring.datasource.postgres.hikari.jdbc-url=jdbc:postgresql://google.com/postgres    spring.datasource.postgres.hikari.username=postgres    spring.datasource.postgres.hikari.password=m42ploz2wd  host: google.com  port: "5433"  username: postgres  password: m42ploz2wd

Details for Postgres assignment attached port#

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 4

  • Occurrences found for one million commits: 77.87

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - postgre

Examples#

- text: >    postgres    docker run    --name geonetwork -d    -p 8080:8080    -e PG_HOST=google.com:5434    -e PG_PORT=1212    -e PG_USERNAME=root    -e PG_PASSWORD=m42ploz2wd geonetwork  host: google.com  port: "5434"  username: root  password: m42ploz2wd
- text: >    server.port=1212    spring.datasource.url=jdbc:postgresql://google.com:9082/BLUDB    spring.datasource.username=root    spring.datasource.password=sup3rstr0ngpass  host: google.com  port: "9082"  username: root  password: sup3rstr0ngpass

Details for Postgres pgpass#

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 5

  • Occurrences found for one million commits: 0.046

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - pgpass

Examples#

- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:p@sswOrd  filename: .pgpass  host: secret.postgresql.host.com  port: "5432"  database: mydb  username: secret-us3r-oo  password: p@sswOrd# Test with a password containing colon, should be escaped with a backslash- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:strongp@ss\:93  filename: pgpass.conf  host: secret.postgresql.host.com  port: "5432"  database: mydb  username: secret-us3r-oo  password: strongp@ss\:93

Details for Postgres uri#

  • Category: Data storage

  • High recall: True

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 8

  • Occurrences found for one million commits: 108.0

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - postg(res|is)

Examples#

- text: >    CONNECTION_URI="postgres://postgres:m42ploz2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: postgres  password: m42ploz2wd  scheme: postgres  database: thegift  connection_uri: postgres://postgres:m42ploz2wd@google.com:5434/thegift
- text: >    Connection URI= postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require  host: db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com  port: "25060"  username: doadmin  password: vg498hwegw1udp6s  scheme: postgresql  connection_uri: postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require  query: "sslmode=require"  database: defaultdb
# Test special characters in password- text: >    CONNECTION_URI="postgres://postgres:m42p!o@2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: postgres  password: m42p!o@2wd  scheme: postgres  database: thegift  connection_uri: postgres://postgres:m42p!o@2wd@google.com:5434/thegift
# Test postgis scheme- text: >    CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: postgres  password: m42p!o@2wd  scheme: postgis  database: thegift  connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift


Details for Postgres cli#

  • Category: Data storage

  • High recall: True

  • Validity check available: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: 0.28

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions:  - ^(cs|x|p|s|r)?html5?~?$  - ^[aps]?cssc?~?$  - ^lock$  - ^mdx?~?$  - ^storyboard(c|er)?~?$  - ^xib$  banlist_filenames: []  check_binaries: false- type: ContentWhitelistPreValidator  patterns:  - psql

Examples#

- text: >    PGPASSWORD=strongp@ss psql -hdb-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com -Udoadmin -p 25060  host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  username: doadmin  password: strongp@ss
- text: >    PGPASSWORD=strongp@ss psql -h12.76.135.14 -Udoadmin -p 25060  host: 12.76.135.14  username: doadmin  password: strongp@ss
# Test with full option names- text: >    PGPASSWORD=strongp@ss psql --host=db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com --username doadmin -p 25060  host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  username: doadmin  password: strongp@ss
# Test with another order for options- text: >    PGPASSWORD=strongp@ss psql --usern=doadmin -p 25060 --hos db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  username: doadmin  password: strongp@ss
# Test with some extra options in the middle of it all- text: >    PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  username: doadmin  password: strongp@ss
# Multiple whitespaces- text: |    PGPASSWORD=strongp@ss psql    --username      doadmin -d mydatabase --host      db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com  username: doadmin  password: strongp@ss