Base64 basic authentication

Description

General

The Base64 basic authentication detector aims at catching any pair of username/password concatenated and encoded in Base64 used for HTTP authentication.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.

Specifications

As defined in the RFC 2617, the basic authentication allows authenticating a request with a username and password couple. These are concatenated with :, encoded in Base64 and then added to the request with the Authentication header. The Base64 basic authentication detector finds the aforementioned Base64 string in a document.

To do so, the base64 basic authentication detector starts by identifying documents that contain the string basic and that satisfy GitGuardian's default filename banlist (see the prevalidator hereunder).

For this detector, decoded username and password must follow a specific set of rules to be considered as sensitive and therefore valid:

username:

• Caught usernames must be sensitive. Therefore, common usernames such as test-user or foo (see pattern banlist hereunder) are banned.

password:

• For the same reason, common or irrelevant password values such as password or test (see the pattern banlist hereunder) are banned.

Revoke the secret

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:

1. Understand what service is impacted.
2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples

Examples that WILL be caught

- text: |
    "Authorization": "Basic aW50ZXJuc2hpcDpjZGk="
  username: aW50ZXJuc2hpcD # decodes to `internship`
  password: pjZGk # decodes to `cdi`

Examples that WILL NOT be caught

• The document does not contain the string basic.

- text: |
    "Authorization": "aW50ZXJuc2hpcDpjZGk="

• The password is not sensitive.

- text: |
    "Authorization": "Basic aW50ZXJuc2hpcDpwYXNzd29yZA=="  # decodes to internship:password

Details for Base64 basic auth

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 2

• Occurrences found for one million commits: 106

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - html
    - css
    - md
    - lock
    - storyboard
    - xib
  banlist_filenames:
    - node_modules(/|\\)
    - vendors?(/|\\)
    - top-1000\.txt$
    - \.sops$
    - \.sops\.yaml$
  check_binaries: false
- type: ContentWhitelistPreValidator
  patterns:
    - 'basic '

• PostValidators

username:
  - type: CommonUsernameBanlistPostValidator
  - type: ValueBanlistPostValidator
    patterns:
      - ^mailto$
      - ^login$
      - ^test-?user$
      - ^admin2$
      - ^demo$
      - ^myuser$
      - ^username$
      - ^foo$
      - ^bar$
      - ^abc$
      - ^beep$
      - ^hello$
      - ^tutorialspoint$
      - ^test_sas$
      - \.local$
      - ^test$
      - ^demodemo$
      - '@example.com$'
  - type: EntropyPostValidator
    entropy: 1

password:
  - type: CommonPasswordBanlistPostValidator
  - type: ValueBanlistPostValidator
    patterns:
      - ^token$
      - ^test-?pass$
      - ^123456$
      - ^adminpwd$
      - ^mypass$
      - ^test$
      - ^password$
      - ^wrongpass$
      - ^wrongsecret$
      - ^client_secret$
  - type: EntropyPostValidator
    entropy: 1