Skip to main content

Redis Credentials

Description#

General#

  • Documentation: https://redis.io/documentation
  • Summary: Redis is a distributed in memory key-value database. This detectors aims at catching redis credentials consisting of a host, port, username and password in a connection uri string, in an assignment form or in a CLI command
  • IPs allowlist: IP allowlisting can and should be implemented on the server hosting the redis instance. Refer to this security documentation for more details.
  • Scopes: By default Redis does not implement Access Control. Yet, an authorization layer can be set when configuring Redis. Since Redis 6, a real Access Control List can be set to attribute different scopes to different users. Before this, a single password gave full access to the database. See this acl documentation for more details on the topic.

Revoke the secret#

Redis supports the DELUSER command to both delete the specified users and terminate all their connections.

Check for suspicious activity#

Suspicious activity can be detected by auditing redis log files.

Details for Redis assignment#

  • Family: Database

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 3

  • Occurrences found for one million commits: 9.27

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true  ban_markup: true- type: ContentWhitelistPreValidator  patterns:  - redis

Examples#

- text: >    -spring.redis.database=0    -spring.redis.host=12.34.56.78    -spring.redis.port=6379    -spring.redis.password=why12345    -spring.redis.timeout=10000ms
  password: why12345  host: "12.34.56.78"  port: "6379"
- text: >    +REDIS_HOST=123.123.123.123    +REDIS_PASSWORD=qg7MkRRIH3wBZk75Z8CKoMgUe8Lg4FIHbCAWSDqiG9m7P54321    +REDIS_PORT=6579    +DB_HOST=123.123.123.123    +DB_PORT=3506    +DB_DATABASE=mjt    +DB_USERNAME=zzym    +DB_PASSWORD=pqwoeirj;aslkdfjasdk
  host: "123.123.123.123"  password: qg7MkRRIH3wBZk75Z8CKoMgUe8Lg4FIHbCAWSDqiG9m7P54321  port: "6579"

Details for Redis uri#

  • Family: Database

  • Category: Data storage

  • High recall: True

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 8

  • Occurrences found for one million commits: 5.78

  • Prefixed: True

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true  ban_markup: false- type: ContentWhitelistPreValidator  patterns:  - redis

Examples#

- text: >    CONECTION_URI="redis://root:m42ploz2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: root  password: m42ploz2wd  scheme: redis  database: thegift  connection_uri: redis://root:m42ploz2wd@google.com:5434/thegift
- text: >    CONECTION_URI="rediss://root:m42ploz2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: root  password: m42ploz2wd  scheme: rediss  database: thegift  connection_uri: rediss://root:m42ploz2wd@google.com:5434/thegift
# Test special characters in password- text: >    CONECTION_URI="rediss://root:m42p!o@2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: root  password: m42p!o@2wd  scheme: rediss  database: thegift  connection_uri: rediss://root:m42p!o@2wd@google.com:5434/thegift
# Test detection in md files- text: >    CONECTION_URI="rediss://root:m42p!o@2wd@google.com:5434/thegift"  host: google.com  port: "5434"  username: root  password: m42p!o@2wd  scheme: rediss  database: thegift  connection_uri: rediss://root:m42p!o@2wd@google.com:5434/thegift  filename: some_file.md

Details for Redis cli#

  • Family: Database

  • Category: Data storage

  • High recall: False

  • Validity check available: True

  • On-premise instances exist: True

  • Only valid secrets raise an alert: False

  • Minimum number of matches: 2

  • Occurrences found for one million commits: 0.36

  • Prefixed: False

  • PreValidators:

- type: FilenameBanlistPreValidator  banlist_extensions: []  banlist_filenames: []  check_binaries: false  include_default_banlist_extensions: true  ban_markup: true- type: ContentWhitelistPreValidator  patterns:  - redis-cli  - redli

Examples#

- text: >    redli --tls -h db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com -astr0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55
- text: >    redli --tls -h 12.76.135.14 -astr0ngp@55  host: 12.76.135.14  password: str0ngp@55
- text: >    redli --tls -h db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com --auth str0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55
- text: >    redli --tls -h db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com --auth=str0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55
- text: >    redis-cli --tls -h db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com --pass str0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55
- text: >    redis-cli --tls -h db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com --pass str0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55
# Multiple whitespaces- text: >    redis-cli   --tls -h   db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com --pass     str0ngp@55  host: db-redis-ams3-27524-do-user-7772205-0.a.db.ondigitalocean.com  password: str0ngp@55