Bearer token
Description
General
The bearer token detector aims at catching any token used for access in authentication methods such as OAuth 2.0.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
As defined in RFC 7235 documentation , HTTP authentication using the Authorization header is common. Multiple authentication methods use this header, by specifying the authentication scheme and credentials in the following format: <authentication_scheme> <credentials>. This detector aims at catching such credentials.
To do so, the bearer token detector looks for the most common authentication schemes: Bearer, Token, Api-Key, Basic, NTLM, OAuth, Client-ID, JWT, Auth, App. It starts by identifying documents that contain the string of one of the authentication schemes and that satisfy GitGuardian's default filename banlist (see the prevalidator hereunder). Then the detector uses common detection techniques and applies post validation tools.
For this detector, the token must follow a specific set of rules to be considered as sensitive and therefore valid:
token
- Caught token must be sensitive. Therefore, common values such as
tokenortestare banned (see banlist hereunder) - Check that the token is not used for private or test domains. The detector looks around the token caught to see if a private/test hostname is detected such as
example.comor IP addresses starting with127.
Revoke the secret
This detector catches generic bearer tokens, hence GitGuardian cannot infer the concerned service. To properly revoke the token:
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the token.
Examples
Examples that WILL be caught
- text: |
headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}
token: aoekthaoexukatoehsxkth8324AOX
- text: |
headers = {"Authorization": "Token aoekthaoexukatoehsxkth8324AOX"}
token: aoekthaoexukatoehsxkth8324AOX
Examples that WILL NOT be caught
- No authentication scheme is present in the document.
- text: |
headers = {"Authorization": "aoekthaoexukatoehsxkth8324AOX"}
- The token caught is a test token.
- text: |
headers = {"Authorization": "Bearer test"}
- A private IP is around the caught token.
- text: |
url = "127.0.0.0"
headers = {"Authorization": "Bearer aoekthaoexukatoehsxkth8324AOX"}
Details for Bearer token
High Recall: False
Validity Check: False
Minimum Number of Matches: 1
Occurrences found for one million commits: 194
Prefixed: False
- type: FilenameBanlistPreValidator
banlist_extensions:
- html
- css
- md
- lock
- storyboard
- xib
banlist_filenames:
- node_modules(/|\\)
- vendors?(/|\\)
- top-1000\.txt$
- \.sops$
- \.sops\.yaml$
check_binaries: false
- type: ContentWhitelistPreValidator
patterns:
- bearer
- type: ValueBanlistPostValidator
patterns:
- authentication
- token
- test
- '^(x+|y+|z+)\.(x+|y+|z+)\.(x+|y+|z+)'
- '(abc){3}'
- '000000'
- '\.\.\.$'
- '123456'
- type: EntropyPostValidator
entropy: 3
- type: ContextWindowBanlistPostValidator
window_width: 200
patterns:
- local
- 127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
- 10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.1[6-9]\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}
- 172\.3[0-1]\.[0-9]{1,3}\.[0-9]{1,3}
- 192\.168\.[0-9]{1,3}\.[0-9]{1,3}
- mydns\.net
- example\.(com|net)
- api\.a\.com
- type: DictFilterPostValidator
min_word_length: 3
threshold_words_pct_matched: 0.6
