Base64 Generic high entropy secret
Description
General
The base64 generic high entropy detector
aims at catching any high entropy strings being assigned to a sensitive variable in base64-encoded text. It is applying similar validation steps and specifications as the generic high entropy detector
but adapts them to be applied in base64-encoded text.
Specifications
About Base64-encoded text
Base64 is a binary-to-text encoding scheme. It is mainly used to send binary data across channels that only reliably support text content. Base64 is also applied on text, for example in JSON Web Token or to obfuscate it.
Base64 is not an encryption algorithm, encoding and decoding do not rely on a secret key but Base64 is commonly used to encode to text the results of encryption algorithms. This detector will only look for generic secrets inside Base64 encoded-text representing unicode text.
Revoke the secret
This detector catches generic secrets, hence GitGuardian cannot infer the concerned service. To properly revoke the secret :
- Understand what service is impacted. Decoding the whole Base64 text may be required.
- Refer to the corresponding documentation to know how to revoke and rotate the secret.
Examples
Examples that WILL be caught
# base64(api_key = rca.pibsaorcibu234lbu43)
- text: |
YXBpX2tleSA9IHJjYS5waWJzYW9yY2lidTIzNGxidTQz
apikey: HJjYS5waWJzYW9yY2lidTIzNGxidTQz
# base64({"api-key": "asnbtueaorueobu435nstau"})
- text: |
eyJhcGkta2V5IjogImFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1In0K
apikey: mFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1
# base64(token: asnbtueaorueobu435nstau)
- text: |
dG9rZW46IGFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1Cg==
apikey: GFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1
# base64(authorization = asnbtueaorueobu435nstau)
- text: |
YXV0aG9yaXphdGlvbiA9IGFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1
apikey: GFzbmJ0dWVhb3J1ZW9idTQzNW5zdGF1
Examples that WILL NOT be caught
- The high entropy string is too short :
# base64(api_key = hj65_klhz/trlu)
- text: |
YXBpX2tleSA9IGhqNjVfa2xoei90cmx1
- The entropy of the string is not high enough
# base64(secret = xob1xob1xob1xob1xob1xob1xob1)
- text: |
c2VjcmV0ID0geG9iMXhvYjF4b2IxeG9iMXhvYjF4b2IxeG9iMQ==
- The assigned variable is not considered sensitive
# base64(object_id = hj65_klhz/trlupok76)
- text: |
b2JqZWN0X2lkID0gaGo2NV9rbGh6L3RybHVwb2s3Ng==
For more examples, see the examples of the generic high entropy detector
encoded in Base64 [.
Details for Base64 Generic high entropy secret
High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 70
Prefixed: False
PreValidators:
Here is a list of the validation steps the document must pass before being analyzed.
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames:
- hash
- list/k.txt$
- list/plex.txt$
- \.csproj$
- tg/mtproto\.json
check_binaries: false
- type: ContentWhitelistPreValidator
patterns:
- '[a-z0-9+/]{28,10000}={0,2}'
- type: Base64ContentWhitelistPreValidator
keywords:
- secret
- token
- apikey
- api-key
- api_key
- api.key
- credential
- auth
- PostValidators:
Identical to post-validators of thegeneric high entropy detector
but applied on the decoded text.