Leaked API keys are no longer unusual, nor are the breaches that follow. So why are sensitive tokens still being so easily exposed?
To find out, Intruder’s research team looked at what traditional vulnerability scanners actually cover and built a new secrets detection method to address gaps in existing approaches.
Applying this at scale by scanning 5 million applications revealed over 42,000 exposed tokens across 334 secret types, exposing a major class of leaked secrets that is not being handled well by existing tooling, particularly in single-page applications (SPAs).
In this article, we break down existing secrets detection methods and reveal what we found when we scanned millions of applications for secrets hidden in JavaScript bundles.
Established secrets detection methods (and their limitations)
Traditional secrets detection
The traditional, fully automated approach to detecting application secrets is to search a set of known paths and apply regular expressions to match known secret formats.
While this method is useful and can catch some exposures, it has clear limitations and will not detect all types of leaks, particularly those that require the scanner to spider the application or authenticate.
A good example of this is Nuclei’s GitLab personal access token template. The scanner is fed a base URL, for example, https://portal.intruder.io/, causing the template to:
- Make an HTTP GET request to https://portal.intruder.io/
- Inspect the direct response to that single request, ignoring other pages and resources such as JavaScript files
- Attempt to identify the pattern of a GitLab personal access token
- If found, make a follow-up request to GitLab’s public API to check whether the token is active
- If active, raise an issue
This is clearly a simple example, but this approach is effective. Especially so when templates define many paths where secrets are commonly exposed.
This format is typical of infrastructure scanners, which do not typically run a headless browser. When the scanner is given the base URL to scan (for example, https://portal.intruder.io), subsequent requests that would be made by a browser (such as the JavaScript files required to render the page, e.g., https://portal.intruder.io/assets/index-DzChsIZu.js) will not be made using this old-school approach.
Dynamic Application Security Testing (DAST)
Dynamic Application Security Testing (DAST) tools are generally a more robust way to scan applications, and tend to have more complex functionality, allowing for full spidering of applications, support for authentication, and a wider capability at detecting application layer weaknesses. Indeed, DAST scanners may seem the natural option for secrets detection in application front-ends. There should be nothing holding back a DAST scanner from discovering available JavaScript files or scanning for secrets within them.
However, this type of scanning is more expensive, requires in-depth configuration, and in reality is usually reserved…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
