PostgreSQL Credentials
Description
General
- Documentation: https://www.postgresql.org/docs/13/index.html
- Summary: PostgreSQL is an open-source relational database management system. This detector catches PostgreSQL credentials in the form of a URI connection string, in a CLI command or stored in a
pgpassfile. - IPs allowlist: IPs allowlisting can be enforced on the server side.
- Scopes: PostgreSQL supports a role-based access, and thus different level of access can be granted to different users.
Revoke the secret
A variety of PostgreSQL commands are useful to change a user's role, password or even to drop the concerned user. This documentation page can be a good starting point to get more information on the topics.
Check for suspicious activity
Auditing PostgreSQL logs can provide information about any suspicious activity on the database.
Details for Postgres assignment
-
Family: Database
-
Category: Data storage
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 4
-
Occurrences found for one million commits: 53.36
-
Prefixed: False
-
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- postgre
- pgsql
- psql
Examples
- text: |
docker run --name geonetwork -d -p 8080:8080 -e PG_HOST=google.com -e PG_PORT=5434 -e PG_USERNAME=postgres -e PG_PASSWORD=m42ploz2wd geonetwork
host: google.com
port: '5434'
username: postgres
password: m42ploz2wd
- text: |
Assignment
dbusername = doadmin
dbpassword = vg498hwegw1udp6s
dbhost = db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
dbport = 25060
dbdatabase = defaultdb
dbsslmode = require
username: doadmin
password: vg498hwegw1udp6s
host: db-postgres-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
port: '25060'
- text: |
server.port=5433
spring.datasource.postgres.hikari.jdbc-url=jdbc:postgresql://google.com/postgres
spring.datasource.postgres.hikari.username=postgres
spring.datasource.postgres.hikari.password=m42ploz2wd
host: google.com
port: '5433'
username: postgres
password: m42ploz2wd
Details for Postgres assignment attached port
-
Family: Database
-
Category: Data storage
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 4
-
Occurrences found for one million commits: 41.5
-
Prefixed: False
-
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- postgre
Examples
- text: |
postgres
docker run
--name geonetwork -d
-p 8080:8080
-e PG_HOST=google.com:5434
-e PG_PORT=1212
-e PG_USERNAME=root
-e PG_PASSWORD=m42ploz2wd geonetwork
host: google.com
port: '5434'
username: root
password: m42ploz2wd
- text: |
server.port=1212
spring.datasource.url=jdbc:postgresql://google.com:9082/BLUDB
spring.datasource.username=root
spring.datasource.password=sup3rstr0ngpass
host: google.com
port: '9082'
username: root
password: sup3rstr0ngpass
Details for Postgres pgpass
-
Family: Database
-
Category: Data storage
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 5
-
Occurrences found for one million commits: 0.046
-
Prefixed: False
-
PreValidators:
- type: ContentWhitelistPreValidator
patterns:
- pgpass
Examples
- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:p@sswOrd
host: secret.postgresql.host.com
port: '5432'
database: mydb
username: secret-us3r-oo
password: p@sswOrd
# Test with a password containing colon, should be escaped with a backslash
- text: secret.postgresql.host.com:5432:mydb:secret-us3r-oo:strongp@ss\:93
host: secret.postgresql.host.com
port: '5432'
database: mydb
username: secret-us3r-oo
password: strongp@ss\:93
Details for Postgres uri
-
Family: Database
-
Category: Data storage
-
High recall: True
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 5
-
Occurrences found for one million commits: 266.25
-
Prefixed: True
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- postg(res|is)
Examples
- text: |
CONNECTION_URI="postgres://postgres:m42ploz2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42ploz2wd
scheme: postgres
database: thegift
connection_uri: postgres://postgres:m42ploz2wd@google.com:5434/thegift
- text: |
Connection URI= postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require
host: db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com
port: '25060'
username: doadmin
password: vg498hwegw1udp6s
scheme: postgresql
connection_uri: postgresql://doadmin:vg498hwegw1udp6s@db-postgresql-nyc1-76477-do-user-1391911-0.db.ondigitalocean.com:25060/defaultdb?sslmode=require
query: 'sslmode=require'
database: defaultdb
# Test special characters in password
- text: |
CONNECTION_URI="postgres://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgres
database: thegift
connection_uri: postgres://postgres:m42p!o@2wd@google.com:5434/thegift
# Test postgis scheme
- text: |
CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgis
database: thegift
connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift
# Test detection in md files
- text: |
CONNECTION_URI="postgis://postgres:m42p!o@2wd@google.com:5434/thegift"
host: google.com
port: '5434'
username: postgres
password: m42p!o@2wd
scheme: postgis
database: thegift
connection_uri: postgis://postgres:m42p!o@2wd@google.com:5434/thegift
# Single quotes are properly handled
- text: |
create_engine('postgresql://postgres:m42ploz2wd@google.com:5432/mydb')
connection_uri: postgresql://postgres:m42ploz2wd@google.com:5432/mydb
host: google.com
port: '5432'
username: postgres
scheme: postgresql
password: m42ploz2wd
database: mydb
Details for Postgres cli
-
Family: Database
-
Category: Data storage
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: False
-
Only valid secrets raise an alert: False
-
Minimum number of matches: 3
-
Occurrences found for one million commits: 0.28
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: true
- type: ContentWhitelistPreValidator
patterns:
- psql
Examples
- text: |
PGPASSWORD=strongp@ss psql -hdb-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com -Udoadmin -p 25060
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
- text: |
PGPASSWORD=strongp@ss psql -h12.76.135.14 -Udoadmin -p 25060
host: 12.76.135.14
username: doadmin
password: strongp@ss
# Test with full option names
- text: |
PGPASSWORD=strongp@ss psql --host=db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com --username doadmin -p 25060
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Test with another order for options
- text: |
PGPASSWORD=strongp@ss psql --usern=doadmin -p 25060 --hos db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Test with some extra options in the middle of it all
- text: |
PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
# Multiple whitespaces
- text: |
PGPASSWORD=strongp@ss psql --username doadmin -d mydatabase --host db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
host: db-postgresql-ams3-58486-do-user-7772205-0.b.db.ondigitalocean.com
username: doadmin
password: strongp@ss
