PostgreSQL Credentials
Description#
General#
- Documentation: https://www.postgresql.org/docs/13/index.html
- Summary: PostgreSQL is an open-source relational database management system. This detector catches PostgreSQL credentials in the form of a URI connection string, in a CLI command or stored in a
pgpassfile. - IPs allowlist: IPs allowlisting can be enforced on the server side.
- Scopes: PostgreSQL supports a role-based access, and thus different level of access can be granted to different users.
Revoke the secret#
A variety of PostgreSQL commands are useful to change a user's role, password or even to drop the concerned user. This documentation page can be a good starting point to get more information on the topics.
Check for suspicious activity#
Auditing PostgreSQL logs can provide information about any suspicious activity on the database.
Details for Postgres assignment#
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 4
Occurrences found for one million commits: 42.03
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator patterns: - postgre - pgsql - psql
Examples#
- text: > docker run --name geonetwork -d -p 8080:8080 -e PG_HOST=google.com -e PG_PORT=5434 -e PG_USERNAME=postgres -e PG_PASSWORD=m42ploz2wd geonetwork host: google.com port: "5434" username: postgres password: m42ploz2wd
- text: > Assignement dbusername = doadmin dbpassword = vg498hwegw1udp6s dbhost = db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com dbport = 25060 dbdatabase = defaultdb dbsslmode = require username: doadmin password: vg498hwegw1udp6s host: db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com port: "25060"
- text: > server.port=5433 spring.datasource.postgres.hikari.jdbc-url=jdbc:postgresql://google.com/postgres spring.datasource.postgres.hikari.username=postgres spring.datasource.postgres.hikari.password=m42ploz2wd host: google.com port: "5433" username: postgres password: m42ploz2wd
Details for Postgres assignment attached port#
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 4
Occurrences found for one million commits: 80.07
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator patterns: - postgre
Examples#
- text: > postgres docker run --name geonetwork -d -p 8080:8080 -e PG_HOST=google.com:5434 -e PG_PORT=1212 -e PG_USERNAME=root -e PG_PASSWORD=m42ploz2wd geonetwork host: google.com port: "5434" username: root password: m42ploz2wd
- text: > server.port=1212 spring.datasource.url=jdbc:postgresql://google.com:9082/BLUDB spring.datasource.username=root spring.datasource.password=sup3rstr0ngpass host: google.com port: "9082" username: root password: sup3rstr0ngpass
Details for Postgres pgpass#
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 5
Occurrences found for one million commits: 0.046
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator patterns: - pgpass
Examples#
- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:p@sswOrd filename: .pgpass host: secret.postgresql.host.com port: "5432" database: mydb username: secret-us3r-oo password: p@sswOrd# Test with a password containing colon, should be escaped with a backslash- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:strongp@ss\:93 filename: pgpass.conf host: secret.postgresql.host.com port: "5432" database: mydb username: secret-us3r-oo password: strongp@ss\:93
Details for Postgres uri#
Family: Database
Category: Data storage
High recall: True
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 8
Occurrences found for one million commits: 126.22
Prefixed: True
PreValidators:
- type: FilenameBanlistPreValidator banlist_extensions: [] banlist_filenames: [] check_binaries: false include_default_banlist_extensions: true ban_markup: false- type: ContentWhitelistPreValidator patterns: - postg(res|is)
Examples#
- text: > CONNECTION_URI="postgres://postgres:m42ploz2wd@google.com:5434/thegift" host: google.com port: "5434" username: postgres password: m42ploz2wd scheme: postgres database: thegift connection_uri: postgres://postgres:m42ploz2wd@google.com:5434/thegift
- text: > Connection URI= postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require host: db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com port: "25060" username: doadmin password: vg498hwegw1udp6s scheme: postgresql connection_uri: postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require query: "sslmode=require" database: defaultdb
# Test special characters in password- text: > CONNECTION_URI="postgres://postgres:m42p!o@2wd@google.com:5434/thegift" host: google.com port: "5434" username: postgres password: m42p!o@2wd scheme: postgres database: thegift connection_uri: postgres://postgres:m42p!o@2wd@google.com:5434/thegift
# Test postgis scheme- text: > CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift" host: google.com port: "5434" username: postgres password: m42p!o@2wd scheme: postgis database: thegift connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift
# Test detection in md files- text: > CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift" host: google.com port: "5434" username: postgres password: m42p!o@2wd scheme: postgis database: thegift connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift filename: some_file.md
Details for Postgres cli#
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: True
Only valid secrets raise an alert: False
Minimum number of matches: 3
Occurrences found for one million commits: 0.28
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator banlist_extensions: [] banlist_filenames: [] check_binaries: false include_default_banlist_extensions: true ban_markup: true- type: ContentWhitelistPreValidator patterns: - psql
Examples#
- text: > PGPASSWORD=strongp@ss psql -hdb-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com -Udoadmin -p 25060 host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com username: doadmin password: strongp@ss
- text: > PGPASSWORD=strongp@ss psql -h12.76.135.14 -Udoadmin -p 25060 host: 12.76.135.14 username: doadmin password: strongp@ss
# Test with full option names- text: > PGPASSWORD=strongp@ss psql --host=db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com --username doadmin -p 25060 host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com username: doadmin password: strongp@ss
# Test with another order for options- text: > PGPASSWORD=strongp@ss psql --usern=doadmin -p 25060 --hos db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com username: doadmin password: strongp@ss
# Test with some extra options in the middle of it all- text: > PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com username: doadmin password: strongp@ss
# Multiple whitespaces- text: | PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com username: doadmin password: strongp@ss