Bearer token
Description
General
The bearer token detector aims at catching any token used for access in authentication methods such as OAuth 2.0.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
As defined in RFC 6750 documentation , Bearer authentication is a common HTTP authentication method. A Bearer token is usually attributed to a user after a successful login request to a server. The user then sends this token in requests headers to authenticate himself and to access some resources. This detector aims at catching Bearer tokens.
To do so, the bearer token detector starts by identifying documents that contain the string bearer and that satisfy GitGuardian's default filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.
For this detector, the token must follow a specific set of rules to be considered as sensitive and therefore valid:
token
- Caught token must be sensitive. Therefore, common values such as
tokenortestare banned (see banlist hereunder) - Check that the token is not used for private or test domains. The detector looks around the token caught to see if a private/test hostname is detected such as
example.comor IP addresses starting with127.
Revoke the secret
This detector catches generic bearer tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the token:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the token.
Examples
Examples that WILL be caught
- text: |
headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}
token: aoekthaoexukatoehsxkth8324AOX
Examples that WILL NOT be caught
- The string
beareris not present in the document.
- text: |
headers = {"Authorization": "aoekthaoexukatoehsxkth8324AOX"}
- The token caught is a test token.
- text: |
headers = {"Authorization": "Bearer test"}
- A private IP is around the caught token.
- text: |
url = "127.0.0.0"
headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}
Details for Bearer token
High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 194
Prefixed: False
- type: FilenameBanlistPreValidator
banlist_extensions:
- html
- css
- md
- lock
- storyboard
- xib
banlist_filenames:
- node_modules(/|\\)
- vendors?(/|\\)
- top-1000\.txt$
- \.sops$
- \.sops\.yaml$
check_binaries: false
- type: ContentWhitelistPreValidator
patterns:
- bearer
- type: ValueBanlistPostValidator
patterns:
- authentication
- token
- test
- '^(x+|y+|z+)\.(x+|y+|z+)\.(x+|y+|z+)'
- '(abc){3}'
- '000000'
- '\.\.\.$'
- '123456'
- type: EntropyPostValidator
entropy: 3
- type: ContextWindowBanlistPostValidator
window_width: 200
patterns:
- local
- 127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
- 10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.1[6-9]\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.3[0-1]\.[0-9]{1,3}\.[0-9]{1,3}
- 192\.168\.[0-9]{1,3}\.[0-9]{1,3}
- mydns\.net
- example\.(com|net)
- api\.a\.com
- type: DictFilterPostValidator
min_word_length: 3
threshold_words_pct_matched: 0.6
Was this page helpful?
