Basic auth string
Description
General
The Basic authentication string detector aims at catching any triplet of host/username/password concatenated used for HTTP authentication.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
As defined in RFC 2617 documentation, HTTP Basic Authentication is a way to authenticate by providing a username and a password when making a request to a service exposed by an host. These credentials can be encoded in the headers of the query, but they can also appear as plain text in a URI. This detector focuses on this latter case.
To do so, the basic authentication string detector starts by identifying documents that matches the https?:// regular expression and that satisfy some filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.
For this detector, host, username, and password must follow a specific set of rules to be considered as sensitive and therefore valid (the detector can also detect a specific port attached to the host if one exist):
host:
- Set of rules to filter irrelevant host names such as
api.example.comor the common host banlist identified by GitGuardian (see banlist hereunder).
username:
- Set of rules to filter common usernames banned such as
test-userorfoo(see banlist hereunder).
password:
- Set of rules to filter irrelevant passwords such as
passwordortest(see banlist hereunder).
port (optional)
- If Basic authentication string detector detects a port on the host, the value is added to the list of matches.
Revoke the secret
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples
Examples that WILL be caught
- text: >
http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
username: 43f6017361224d098402974103bfc53d
password: a6a0538fc2934ba2bed32e08741b2cd3
host: my.host.live.something.com
port: '9000'
- text: >
http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com/1
username: 43f6017361224d098402974103bfc53d
password: a6a0538fc2934ba2bed32e08741b2cd3
host: my.host.live.something.com
Examples that WILL NOT be caught
- Host name is not sensitive.
- text: >
http://43f6017361224d098402974103bfc53d:a6a0538fc2934ba2bed32e08741b2cd3@api.parse.com:9000/1
- Username is not sensitive.
- text: >
http://test-user:a6a0538fc2934ba2bed32e08741b2cd3@my.host.live.something.com:9000/1
- Password is not sensitive.
- text: >
http://43f6017361224d098402974103bfc53d:password@my.host.live.something.com:9000/1
Details for Basic auth string
High Recall: True
Validity Check: False
Minimum Number of Matches: 3
Occurrences found for one million commits: 87
Prefixed: True
- type: FilenameBanlistPreValidator
banlist_extensions:
- css
- storyboard
- xib
banlist_filenames:
- node_modules(/|\\)
- vendors?(/|\\)
- top-1000\.txt$
- \.sops$
- \.sops\.yaml$
check_binaries: false
- type: ContentWhitelistPreValidator
patterns:
- https?://
host:
- type: CommonHostBanlistPostValidator
- type: ValueBanlistPostValidator
patterns: ['api.parse.com', 'host.xz']
password:
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- \.env
- env[. ]
- str\(
- \.getenv\(
- \+[^+(\d]+?\+
- \{[^}(\d]+?\}
- token
- test-pass
- '123456'
- adminpwd
- mypass
- type: MinimumLengthPostValidator
length: 4
username:
- type: CommonUsernameBanlistPostValidator
- type: ValueBanlistPostValidator
patterns: ['mailto', 'login', 'test-user', 'admin2', 'demo', 'myuser']
- type: MinimumLengthPostValidator
length: 4
