A 3 step process to finding and reporting critical secrets :
🧵👇
1️⃣ Find secrets :
➡ Look into source control like Github, gitlab etc
Use github dorks for more directed searches. Like github.com/techgaun/github-dorks/blob/master/github-dorks.txt
➡ Search for secrets in commit history and full organisation by trufflehog : github.com/trufflesecurity/trufflehog
➡ Try finding sonarqube or Jenkins instances. Use #shodan for that. Check my previous thread for some ideas around it 😃 : twitter.com/AseemShrey/status/1508059759491964928
Here's how I found one : aseem-shrey.medium.com/mind-your-logs-how-a-build-log-from-a-jenkins-leaked-everything-603cf07fa85
➡ Look into website's javascript files. Here's a writeup around the same : infosecwriteups.com/one-token-to-leak-them-all-the-story-of-a-8000-npm-token-79b13af182a3
2️⃣ Verify those secrets :
➡ After you've found some secrets it's time to verify those. For each individual key look here : github.com/streaak/keyhacks
You can use the latest trufflehog v3 to automatically verify for over 600 types of secrets as well 😃
3️⃣ Report 💰
➡ Find the company's program on #hackerone or #bugcrowd or their own bug bounty page.
➡ If nothing like that exists, use connectbit to find contacts
➡ If even that doesn't help, check people on Linkedin or Twitter for that org
🅱🅾🅽🆄🆂
Here's a video of how to automatically find and verify secrets on github, s3 buckets etc using trufflehog v3 + an interview with the creator @InsecureNature
Go on and check the video here : youtube.com/watch?v=iqC-hEd3hkE 📹 🚀
Aseem Shrey
@AseemShrey
🤖 Founder - SecureMyOrg 👨Teaching people get into Security 📹 youtube.com/c/HackingSImpl… Talk about #cybersec #privacy