Company email password
Description
General
The company email password detector
aims at catching any pair of company email/password containing a sensitive email that could endanger a company's security.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter to look at.
Specifications
The two components of the couple that the detector catches are referred as username
and password
, and should be at a reasonable distance from each other inside a document to be flagged.
This detector will only flag the closest couple of matches.
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For both matches:
- Must be an assigned value, namely of the form
{assigned_variable} {assignment_token} {value}
, where{assigned_variable}
is eitherusername
,password
, or other similar strings.
username:
- The document must contain the string
email
oruser
(see whitelist hereunder). - Caught emails must be company related to be sensitive. Therefore, common personal email providers are banned such as
gmail.com
or non-sensitive aliases such asno_reply
addresses (see banlist hereunder).
password:
- The document must contain the string
pass
(see whitelist hereunder). - Set of rules to filter irrelevant passwords such as
password
or when the password is an url, date, or file name (see banlist hereunder).
Revoke the secret
This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :
- Understand what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
Examples
Examples that WILL be caught
- text: |
email=some.french.name@gitguardian.com
password=abuaoentsubaoeub24234$@3!
username: some.french.name@gitguardian.com
password: abuaoentsubaoeub24234$@3!
- text: |
user=whatever@gitguardian.com
pass=th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlth
username: whatever@gitguardian.com
password: th1slsth3b3stp@$$w0rdw3c0uidc@m3upwlth
Examples that WILL NOT be caught
- The email address is not sensitive (gmail.com).
- text: |
email=some.french.name@gmail.com
password=abuaoentsubaoeub24234$@3!
- The password is an url.
- text: |
user=whatever@gitguardian.com
pass=www.google.com
Details for Company email password
High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 190
Prefixed: False
- type: FilenameBanlistPreValidator
banlist_extensions: ['gzip']
banlist_filenames: ['(?i:fixture)', '(?i:test)', '(?i:seed)']
check_binaries: False
- type: ContentWhitelistPreValidator
patterns:
- email
- user
- type: ContentWhitelistPreValidator
patterns:
- pass
password:
- type: CommonValueBanlistPostValidator
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- ^none
- ^null
- ^empty
- ^user
- pass
- senha # password in portuguese
- ^root
- ^admin
- ^true
- ^and
- ^prompt
- ^final$
- ^string$
- ^self
- ^email
- ^raw
- ^your
- ^new$
- ^temp$
- ^function$
- ^undefined$
- ^auth_email$
- ^false$
- ^request$
- test
- ^req$
- '1234'
- ^#
- ^vault
- ^value$
- ^java
- ^ansible
- ^demo
- '123213123'
- ^guest
- ^visit$
- ^coffee123$
- ^123bla456bla$
- ^description$
- '^\$(1|2|sha1|5|6|2(a|b|x|y))\$[0-9]{1,2}\$' # https://en.wikipedia.org/wiki/Bcrypt
- '^pbkdf2_sha256\$' # hashed password
- '^aqaaaaeaaccqaaaae' # hashed password
- ^DateTime$
- ^CompanyEmail$
- ^string
- ^equalTo$
- ^Content-Type$
- ^Role\.User$
- ^e\.target\.value$
- ^temp@123$
- \.find_element_by_css$
- ^process\.env\.
- ^get\-content$
- ^encodingutils\.sha256
- '\*{7}'
- ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$
- ^[^a-z0-9]+$
- type: EntropyPostValidator
entropy: 1
- type: HeuristicPostValidator
filters:
- url
- date
- file_name
- type: DictFilterPostValidator
threshold_words_pct_matched: 1
- type: ContextWindowBanlistPostValidator
patterns:
[
'passenger',
'pgadmin',
'mango',
'redis',
'postgres',
'hash',
'crypt',
'passed:',
]
window_width: 25
window_type: 'left'
- type: AssignmentBanlistPostValidator
patterns:
- ^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$
- salt
username:
- type: EmailDomainBanlistPostValidator
additionnal_banned_domains:
# non-exhaustive list of email provider and their domains
# google
- gmail.com
# microsoft
- outlook.com
- outlook.fr
- hotmail.fr
- hotmail.ca
- hotmail.de
- hotmail.gr
- hotmail.com
- hotmail.co.uk
- outlook.com.tr
- outlook.com.br
- live.fr
- live.in
- live.dk
- live.de
- live.cn
- live.com
- live.co.uk
- live.com.ar
- live.com.mx
- live.com.ar
- live.com.pt
- msn.com
# yahoo
- yahoo.com
- yahoo.fr
- yahoo.es
- yahoo.it
- yahoo.co.uk
- yahoo.co.jp
- yahoo.com.tw
- yahoo.com.br
- yahoo.com.hk
- ymail.com
- rocketmail.com
# chinese email provider
- qq.com
- 163.com
- 126.com
# apple
- me.com
- icloud.com
# yandex
- yandex.ru
- yandex.com
# GMX
- gmx.com
- gmx.fr
- gmx.us
- caramail.fr
- caramail.com
# disposable mail
- yopmail.com
- mailinator.com
# others
- orange.fr
- mail.com
- mail.ru
- naver.com
- aol.com
- protonmail.com
- foxmail.com
- chmail.ir
# test domain
- something.com
- abc.com
- pgadmin.org
- emailaccount.com
- person.com
- type: CommonValueBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- ^none
- ^null
- ^empty
- ^user
- ^pass
- ^root
- ^admin
- ^true
- ^and
- ^prompt
- '@\.*local'
- ^self
- ^email
- ^raw
- ^your
- ^random
- ^info
- ^bla
- ^support
- ^vault
- test
- sample
- dummy
- no[_.-]reply
- ghost
- abcdef
- noaddressemail
- noreply
- contact-email
- fake
- ^xxx
- ^wolf@thedoor.com$
- ^company@company.com$
- ^john@doe
- ^temp@temp
- ^google@google
- ^foo@
- ^ex[ae]mpl
- ^me@
- ^foo@bar
- ^abc@
- \.demo$
- \.abc$
- \.za$
- \.baz$
- \.nya$
- \.tld$