PostgreSQL Credentials
Description
General
- Documentation: https://www.postgresql.org/docs/13/index.html
- Summary: PostgreSQL is an open-source relational database management system. This detector catches PostgreSQL credentials in the form of a URI connection string, in a CLI command or stored in a
pgpassfile. - IPs allowlist: IPs allowlisting can be enforced on the server side.
- Scopes: PostgreSQL supports a role-based access, and thus different level of access can be granted to different users.
Revoke the secret
A variety of PostgreSQL commands are useful to change a user's role, password or even to drop the concerned user. This documentation page can be a good starting point to get more information on the topics.
Check for suspicious activity
Auditing PostgreSQL logs can provide information about any suspicious activity on the database.
Details for Postgres assignment
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 4
Occurrences found for one million commits: 53.36
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- postgre
- pgsql
- psql
Examples
- text: |
docker run --name geonetwork -d -p 8080:8080 -e PG_HOST=google.com -e PG_PORT=5434 -e PG_USERNAME=postgres -e PG_PASSWORD=m42ploz2wd geonetwork
host: google.com
port: '5434'
username: postgres
password: m42ploz2wd
- text: |
Assignment
dbusername = doadmin
dbpassword = vg498hwegw1udp6s
dbhost = db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
dbport = 25060
dbdatabase = defaultdb
dbsslmode = require
username: doadmin
password: vg498hwegw1udp6s
host: db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
port: '25060'
- text: |
server.port=5433
spring.datasource.postgres.hikari.jdbc-url=jdbc:postgresql://google.com/postgres
spring.datasource.postgres.hikari.username=postgres
spring.datasource.postgres.hikari.password=m42ploz2wd
host: google.com
port: '5433'
username: postgres
password: m42ploz2wd
Details for Postgres assignment attached port
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 4
Occurrences found for one million commits: 41.5
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- postgre
Examples
- text: |
postgres
docker run
--name geonetwork -d
-p 8080:8080
-e PG_HOST=google.com:5434
-e PG_PORT=1212
-e PG_USERNAME=root
-e PG_PASSWORD=m42ploz2wd geonetwork
host: google.com
port: '5434'
username: root
password: m42ploz2wd
- text: |
server.port=1212
spring.datasource.url=jdbc:postgresql://google.com:9082/BLUDB
spring.datasource.username=root
spring.datasource.password=sup3rstr0ngpass
host: google.com
port: '9082'
username: root
password: sup3rstr0ngpass
Details for Postgres pgpass
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 5
Occurrences found for one million commits: 0.046
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- pgpass
Examples
- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:p@sswOrd
host: secret.postgresql.host.com
port: '5432'
database: mydb
username: secret-us3r-oo
password: p@sswOrd
# Test with a password containing colon, should be escaped with a backslash
- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:strongp@ss\:93
host: secret.postgresql.host.com
port: '5432'
database: mydb
username: secret-us3r-oo
password: strongp@ss\:93
Details for Postgres uri
Family: Database
Category: Data storage
High recall: True
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 5
Occurrences found for one million commits: 266.25
Prefixed: True
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- postg(res|is)
Examples
- text: |
CONNECTION_URI="postgres://postgres:m42ploz2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42ploz2wd
scheme: postgres
database: thegift
connection_uri: postgres://postgres:m42ploz2wd@google.com:5434/thegift
- text: |
Connection URI= postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require
host: db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
port: '25060'
username: doadmin
password: vg498hwegw1udp6s
scheme: postgresql
connection_uri: postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require
query: 'sslmode=require'
database: defaultdb
# Test special characters in password
- text: |
CONNECTION_URI="postgres://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgres
database: thegift
connection_uri: postgres://postgres:m42p!o@2wd@google.com:5434/thegift
# Test postgis scheme
- text: |
CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgis
database: thegift
connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift
# Test detection in md files
- text: |
CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgis
database: thegift
connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift
Details for Postgres cli
Family: Database
Category: Data storage
High recall: False
Validity check available: True
On-premise instances exist: False
Only valid secrets raise an alert: False
Minimum number of matches: 3
Occurrences found for one million commits: 0.28
Prefixed: False
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- psql
Examples
- text: |
PGPASSWORD=strongp@ss psql -hdb-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com -Udoadmin -p 25060
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
- text: |
PGPASSWORD=strongp@ss psql -h12.76.135.14 -Udoadmin -p 25060
host: 12.76.135.14
username: doadmin
password: strongp@ss
# Test with full option names
- text: |
PGPASSWORD=strongp@ss psql --host=db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com --username doadmin -p 25060
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Test with another order for options
- text: |
PGPASSWORD=strongp@ss psql --usern=doadmin -p 25060 --hos db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Test with some extra options in the middle of it all
- text: |
PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Multiple whitespaces
- text: |
PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
