Bearer token

Description

General

The bearer token detector aims at catching any token used for access in authentication methods such as OAuth 2.0.

This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.

Specifications

As defined in RFC 7235 documentation , HTTP authentication using the Authorization header is common. Multiple authentication methods use this header, by specifying the authentication scheme and credentials in the following format: <authentication_scheme> <credentials>. This detector aims at catching such credentials.

To do so, the bearer token detector looks for the most common authentication schemes: Bearer, Token, Api-Key, Basic, NTLM, OAuth, Client-ID, JWT, Auth, App. It starts by identifying documents that contain the string of one of the authentication schemes and that satisfy GitGuardian's default filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.

For this detector, the token must follow a specific set of rules to be considered as sensitive and therefore valid:

token

• Caught token must be sensitive. Therefore, common values such as token or test are banned (see banlist hereunder)
• Check that the token is not used for private or test domains. The detector looks around the token caught to see if a private/test hostname is detected such as example.com or IP addresses starting with 127.

Revoke the secret

This detector catches generic bearer tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the token:

1. Understand what service is impacted.
2. Refer to the corresponding documentation to know how to revoke and rotate the token.

Examples

Examples that WILL be caught

- text: |
    headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}
  token: aoekthaoexukatoehsxkth8324AOX

- text: |
    headers = {"Authorization": "Token aoekthaoexukatoehsxkth8324AOX"}
  token: aoekthaoexukatoehsxkth8324AOX

Examples that WILL NOT be caught

• No authentication scheme is present in the document.

- text: |
    headers = {"Authorization": "aoekthaoexukatoehsxkth8324AOX"}

• The token caught is a test token.

- text: |
    headers = {"Authorization": "Bearer test"}

• A private IP is around the caught token.

- text: |
    url = "127.0.0.0"
    headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}

Details for Bearer token

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 1

• Occurrences found for one million commits: 194

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions:
    - html
    - css
    - md
    - lock
    - storyboard
    - xib
  banlist_filenames:
    - node_modules(/|\\)
    - vendors?(/|\\)
    - top-1000\.txt$
    - \.sops$
    - \.sops\.yaml$
  check_binaries: false
- type: ContentWhitelistPreValidator
  patterns:
    - bearer

• PostValidators

- type: ValueBanlistPostValidator
  patterns:
    - authentication
    - token
    - test
    - '^(x+|y+|z+)\.(x+|y+|z+)\.(x+|y+|z+)'
    - '(abc){3}'
    - '000000'
    - '\.\.\.$'
    - '123456'
- type: EntropyPostValidator
  entropy: 3
- type: ContextWindowBanlistPostValidator
  window_width: 200
  patterns:
    - local
    - 127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
    - 10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
    - 172\.1[6-9]\.[0-9]{1,3}\.[0-9]{1,3}
    - 172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}
    - 172\.3[0-1]\.[0-9]{1,3}\.[0-9]{1,3}
    - 192\.168\.[0-9]{1,3}\.[0-9]{1,3}
    - mydns\.net
    - example\.(com|net)
    - api\.a\.com
- type: DictFilterPostValidator
  min_word_length: 3
  threshold_words_pct_matched: 0.6