Skip to content

Instantly share code, notes, and snippets.

@nullenc0de

nullenc0de/huge_config.yaml

Created June 3, 2025 13:30
Show Gist options
  • Save nullenc0de/12f51527f7e416f2dea529f749d53efb to your computer and use it in GitHub Desktop.
Save nullenc0de/12f51527f7e416f2dea529f749d53efb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
huge_config.yaml
id: sensitive-credential-files
info:
name: Sensitive Credential File Discovery
author: security-researcher
severity: high
description: Discovers exposed files containing credentials, API keys, passwords, and other sensitive data
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-200,CWE-284,CWE-922
metadata:
verified: true
max-request: 20
tags: exposure,credentials,secrets,passwords,keys
http:
- method: GET
path:
# Environment & Configuration Files with Credentials
- "{{BaseURL}}/.env"
- "{{BaseURL}}/.env.local"
- "{{BaseURL}}/.env.production"
- "{{BaseURL}}/.env.development"
- "{{BaseURL}}/.env.staging"
- "{{BaseURL}}/.env.test"
- "{{BaseURL}}/.env.bak"
- "{{BaseURL}}/.env.backup"
- "{{BaseURL}}/.env.old"
- "{{BaseURL}}/.env.save"
- "{{BaseURL}}/.env.example"
- "{{BaseURL}}/.env.sample"
- "{{BaseURL}}/.env.dist"
- "{{BaseURL}}/.env.docker"
- "{{BaseURL}}/.env.prod"
- "{{BaseURL}}/.environment"
- "{{BaseURL}}/.envrc"
- "{{BaseURL}}/app.env"
- "{{BaseURL}}/config.env"
- "{{BaseURL}}/secrets.env"
- "{{BaseURL}}/database.env"
- "{{BaseURL}}/sendgrid.env"
- "{{BaseURL}}/mailgun.env"
- "{{BaseURL}}/stripe.env"
- "{{BaseURL}}/github.env"
- "{{BaseURL}}/config.php"
- "{{BaseURL}}/configuration.php"
- "{{BaseURL}}/config.json"
- "{{BaseURL}}/config.yml"
- "{{BaseURL}}/config.xml"
- "{{BaseURL}}/settings.php"
- "{{BaseURL}}/secrets.json"
- "{{BaseURL}}/credentials.json"
- "{{BaseURL}}/auth.json"
- "{{BaseURL}}/database.yml"
- "{{BaseURL}}/database.json"
- "{{BaseURL}}/db_config.php"
- "{{BaseURL}}/connect.php"
- "{{BaseURL}}/connection.php"
- "{{BaseURL}}/app.config"
- "{{BaseURL}}/web.config"
- "{{BaseURL}}/appsettings.json"
- "{{BaseURL}}/connectionstrings.config"
- "{{BaseURL}}/machine.config"
- "{{BaseURL}}/application.properties"
- "{{BaseURL}}/application.yml"
- "{{BaseURL}}/bootstrap.properties"
- "{{BaseURL}}/config.properties"
- "{{BaseURL}}/keyfile.properties"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "APP_KEY="
- "DB_PASSWORD="
- "DATABASE_PASSWORD="
- "API_KEY="
- "SECRET_KEY="
- "PRIVATE_KEY="
- "ACCESS_TOKEN="
- "REFRESH_TOKEN="
- "AWS_SECRET_ACCESS_KEY="
- "GOOGLE_API_KEY="
- "STRIPE_SECRET="
- "MAILGUN_API_KEY="
- "TWILIO_AUTH_TOKEN="
- "SENDGRID_API_KEY="
- "GITHUB_TOKEN="
- "JWT_SECRET="
- "SESSION_SECRET="
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(([a-z0-9]+)[-|_])?(key|password|passwd|pass|pwd|private|credential|auth|cred|creds|secret|access|token)([-|_][a-z]+)?[\\s]*[=:]+[\\s]*[\"']?([\\w\\-\\.@:/+=]{8,})[\"']?"
- "(?i)[\"']?aws[_-]?secret[_-]?access[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-/+=]{20,})[\"']?"
- "(?i)[\"']?aws[_-]?access[_-]?key[_-]?id[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([A-Z0-9]{16,})[\"']?"
- "(?i)[\"']?github[_-]?token[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?(ghp_[\\w]{36}|gho_[\\w]{36}|ghu_[\\w]{36}|ghs_[\\w]{36}|ghr_[\\w]{36})[\"']?"
- "(?i)[\"']?api[_-]?key[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-]{16,})[\"']?"
- "(?i)[\"']?(database|db|mysql|postgres)[_-]?password[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{6,})[\"']?"
- "(?i)[\"']?jwt[_-]?secret[\"']?[^\\S\\r\\n]*[=:][^\\S\\r\\n]*[\"']?([\\w\\-@#$%^&*()+=]{16,})[\"']?"
group: 5
- method: GET
path:
# Cloud Service Credential Files
- "{{BaseURL}}/.aws/config"
- "{{BaseURL}}/.aws/credentials"
- "{{BaseURL}}/.gcloud/credentials"
- "{{BaseURL}}/.gcloud/credentials.db"
- "{{BaseURL}}/.google/credentials.json"
- "{{BaseURL}}/.azure/accessTokens.json"
- "{{BaseURL}}/.azure/credentials"
- "{{BaseURL}}/serviceaccount.json"
- "{{BaseURL}}/service-account.json"
- "{{BaseURL}}/service_account.json"
- "{{BaseURL}}/google-services.json"
- "{{BaseURL}}/firebase-adminsdk.json"
- "{{BaseURL}}/firebase_config.json"
- "{{BaseURL}}/aws_credentials"
- "{{BaseURL}}/azure_credentials.json"
- "{{BaseURL}}/gcp_credentials.json"
- "{{BaseURL}}/.digitalocean/config.yaml"
- "{{BaseURL}}/.heroku/credentials"
- "{{BaseURL}}/client_secret.json"
- "{{BaseURL}}/client_secrets.json"
- "{{BaseURL}}/credentials.json"
- "{{BaseURL}}/credentials.xml"
- "{{BaseURL}}/oauth.json"
- "{{BaseURL}}/oauth_credentials.json"
- "{{BaseURL}}/token.json"
- "{{BaseURL}}/refresh_token.json"
- "{{BaseURL}}/access_tokens.json"
- "{{BaseURL}}/api_keys.json"
- "{{BaseURL}}/api_config.json"
- "{{BaseURL}}/.kube/config"
- "{{BaseURL}}/.docker/config.json"
- "{{BaseURL}}/docker_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "private_key"
- "client_secret"
- "access_token"
- "refresh_token"
- "service_account"
- "aws_access_key_id"
- "aws_secret_access_key"
- "auth_uri"
- "token_uri"
- "private_key_id"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)\"private_key\"[\\s]*:[\\s]*\"([^\"]+)\""
- "(?i)\"client_secret\"[\\s]*:[\\s]*\"([^\"]+)\""
- "(?i)\"access_token\"[\\s]*:[\\s]*\"([^\"]+)\""
- "(?i)\"refresh_token\"[\\s]*:[\\s]*\"([^\"]+)\""
- "(?i)aws_access_key_id[\\s]*=[\\s]*([A-Z0-9]{16,})"
- "(?i)aws_secret_access_key[\\s]*=[\\s]*([\\w\\-/+=]{20,})"
group: 1
- method: GET
path:
# WordPress and CMS Configuration Files
- "{{BaseURL}}/wp-config.php"
- "{{BaseURL}}/wp-config-sample.php"
- "{{BaseURL}}/wp-config.php.bak"
- "{{BaseURL}}/wp-config.php~"
- "{{BaseURL}}/wp-config.php.old"
- "{{BaseURL}}/wp-config.php.save"
- "{{BaseURL}}/wp-config.inc"
- "{{BaseURL}}/wp-config.txt"
- "{{BaseURL}}/config.inc.php"
- "{{BaseURL}}/configuration.php"
- "{{BaseURL}}/local.xml"
- "{{BaseURL}}/app/etc/local.xml"
- "{{BaseURL}}/config/database.yml"
- "{{BaseURL}}/config/app.yml"
- "{{BaseURL}}/app/config/database.yml"
- "{{BaseURL}}/app/config/parameters.yml"
- "{{BaseURL}}/config/secrets.yml"
- "{{BaseURL}}/config/master.key"
- "{{BaseURL}}/local_settings.py"
- "{{BaseURL}}/settings/local.py"
- "{{BaseURL}}/settings.php"
- "{{BaseURL}}/database.php"
- "{{BaseURL}}/db_connect.php"
- "{{BaseURL}}/db_connection.php"
- "{{BaseURL}}/database_config.php"
- "{{BaseURL}}/db_credentials.json"
- "{{BaseURL}}/mysql_config.php"
- "{{BaseURL}}/postgres_config.php"
- "{{BaseURL}}/mongodb_config.json"
- "{{BaseURL}}/redis_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<?php"
- "define("
- "password"
- "secret"
- "database"
- "mysql"
- "postgres"
- "host:"
- "username:"
- "password:"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)define\\(['\"]DB_PASSWORD['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]"
- "(?i)define\\(['\"]DB_USER['\"][\\s]*,[\\s]*['\"]([^'\"]+)['\"]"
- "(?i)['\"]password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]"
- "(?i)['\"]secret['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]"
- "(?i)DATABASE_URL[\\s]*=[\\s]*['\"]([^'\"]+)['\"]"
group: 1
- method: GET
path:
# SSH Keys and Certificates
- "{{BaseURL}}/id_rsa"
- "{{BaseURL}}/id_dsa"
- "{{BaseURL}}/id_ecdsa"
- "{{BaseURL}}/id_ed25519"
- "{{BaseURL}}/.ssh/id_rsa"
- "{{BaseURL}}/.ssh/id_dsa"
- "{{BaseURL}}/.ssh/id_ecdsa"
- "{{BaseURL}}/.ssh/id_ed25519"
- "{{BaseURL}}/.ssh/authorized_keys"
- "{{BaseURL}}/.ssh/config"
- "{{BaseURL}}/.ssh/known_hosts"
- "{{BaseURL}}/server.key"
- "{{BaseURL}}/private.key"
- "{{BaseURL}}/privatekey.key"
- "{{BaseURL}}/key.pem"
- "{{BaseURL}}/private.pem"
- "{{BaseURL}}/cert.key"
- "{{BaseURL}}/ssl.key"
- "{{BaseURL}}/tls.key"
- "{{BaseURL}}/certificate.key"
- "{{BaseURL}}/client.key"
- "{{BaseURL}}/rsa.key"
- "{{BaseURL}}/ecdsa.key"
- "{{BaseURL}}/signing.key"
- "{{BaseURL}}/encryption.key"
- "{{BaseURL}}/master.key"
- "{{BaseURL}}/session.key"
- "{{BaseURL}}/jwt.key"
- "{{BaseURL}}/keystore.jks"
- "{{BaseURL}}/truststore.jks"
- "{{BaseURL}}/keyring.gpg"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "-----BEGIN PRIVATE KEY-----"
- "-----BEGIN RSA PRIVATE KEY-----"
- "-----BEGIN DSA PRIVATE KEY-----"
- "-----BEGIN EC PRIVATE KEY-----"
- "-----BEGIN OPENSSH PRIVATE KEY-----"
- "ssh-rsa"
- "ssh-dss"
- "ssh-ed25519"
condition: or
extractors:
- type: regex
part: body
regex:
- "(-----BEGIN [A-Z ]+PRIVATE KEY-----[\\s\\S]*?-----END [A-Z ]+PRIVATE KEY-----)"
- "(ssh-rsa [A-Za-z0-9+/=]+)"
- "(ssh-dss [A-Za-z0-9+/=]+)"
- "(ssh-ed25519 [A-Za-z0-9+/=]+)"
group: 1
- method: GET
path:
# Database Files and Backups
- "{{BaseURL}}/database.sql"
- "{{BaseURL}}/db.sql"
- "{{BaseURL}}/backup.sql"
- "{{BaseURL}}/dump.sql"
- "{{BaseURL}}/users.sql"
- "{{BaseURL}}/accounts.sql"
- "{{BaseURL}}/customers.sql"
- "{{BaseURL}}/payment_data.sql"
- "{{BaseURL}}/user_export.csv"
- "{{BaseURL}}/customer_data.sql"
- "{{BaseURL}}/database_dump.sql"
- "{{BaseURL}}/database.sqlite"
- "{{BaseURL}}/database.db"
- "{{BaseURL}}/app.db"
- "{{BaseURL}}/users.db"
- "{{BaseURL}}/accounts.db"
- "{{BaseURL}}/wallet.dat"
- "{{BaseURL}}/backup.zip"
- "{{BaseURL}}/full_backup.zip"
- "{{BaseURL}}/site_backup.zip"
- "{{BaseURL}}/database.sql.bak"
- "{{BaseURL}}/users.sql.bak"
- "{{BaseURL}}/backup.tar.gz"
- "{{BaseURL}}/db_backup.sql"
- "{{BaseURL}}/mysql.sql"
- "{{BaseURL}}/postgres.sql"
- "{{BaseURL}}/mongodb.json"
- "{{BaseURL}}/redis.rdb"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "CREATE TABLE"
- "INSERT INTO"
- "DROP TABLE"
- "UPDATE"
- "SELECT"
- "SQLite format"
- "sqlite_master"
- "PRAGMA"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)INSERT INTO [\\w_]+ \\([^)]*password[^)]*\\) VALUES \\(([^)]+)\\)"
- "(?i)password['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{6,})['\"]"
- "(?i)api_key['\"][\\s]*[=>:][\\s]*['\"]([^'\"]{8,})['\"]"
group: 1
- method: GET
path:
# Password and Authentication Files
- "{{BaseURL}}/.htpasswd"
- "{{BaseURL}}/htpasswd"
- "{{BaseURL}}/passwd"
- "{{BaseURL}}/password"
- "{{BaseURL}}/passwords.txt"
- "{{BaseURL}}/users.txt"
- "{{BaseURL}}/accounts.txt"
- "{{BaseURL}}/logins.txt"
- "{{BaseURL}}/credentials.txt"
- "{{BaseURL}}/auth.txt"
- "{{BaseURL}}/shadow"
- "{{BaseURL}}/master.passwd"
- "{{BaseURL}}/auth_users.json"
- "{{BaseURL}}/login_credentials.json"
- "{{BaseURL}}/admin_users.json"
- "{{BaseURL}}/service_users.json"
- "{{BaseURL}}/user_sessions.json"
- "{{BaseURL}}/session_store.json"
- "{{BaseURL}}/ldap_config.json"
- "{{BaseURL}}/active_directory.json"
- "{{BaseURL}}/oauth_users.json"
- "{{BaseURL}}/saml_config.xml"
- "{{BaseURL}}/cas_config.json"
- "{{BaseURL}}/radius_config.json"
- "{{BaseURL}}/kerberos_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- "^[\\w]+:[\\$\\w\\./]{13,}"
- "^[\\w\\.-]+@[\\w\\.-]+:[\\w\\$\\./]{8,}"
- "\\$[0-9]\\$[\\w\\./]{50,}"
- "^[\\w]+:\\{[A-Z0-9]+\\}"
condition: or
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "([\\w]+):[\\$\\w\\./]{13,}"
- "([\\w\\.-]+@[\\w\\.-]+):([\\w\\$\\./]{8,})"
- "(\\$[0-9]\\$[\\w\\./]{50,})"
group: 0
- method: GET
path:
# Framework-Specific Secret Files
- "{{BaseURL}}/secrets.yml"
- "{{BaseURL}}/master.key"
- "{{BaseURL}}/credentials.yml.enc"
- "{{BaseURL}}/application_secrets.rb"
- "{{BaseURL}}/production_secrets.rb"
- "{{BaseURL}}/laravel_config.php"
- "{{BaseURL}}/app_key.txt"
- "{{BaseURL}}/jwt_secret.txt"
- "{{BaseURL}}/session_secret.txt"
- "{{BaseURL}}/cookie_secret.txt"
- "{{BaseURL}}/csrf_token.txt"
- "{{BaseURL}}/django_secret.py"
- "{{BaseURL}}/flask_secret.py"
- "{{BaseURL}}/express_session.js"
- "{{BaseURL}}/nextauth_secret.txt"
- "{{BaseURL}}/symfony_secret.yml"
- "{{BaseURL}}/spring_secrets.properties"
- "{{BaseURL}}/micronaut_secrets.yml"
- "{{BaseURL}}/quarkus_secrets.properties"
- "{{BaseURL}}/aspnet_secrets.json"
- "{{BaseURL}}/blazor_secrets.json"
- "{{BaseURL}}/react_env.json"
- "{{BaseURL}}/vue_env.json"
- "{{BaseURL}}/angular_env.json"
- "{{BaseURL}}/svelte_env.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "secret"
- "key"
- "token"
- "password"
- "credential"
- "auth"
- "api"
- "private"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(secret|key|token|password|credential|auth|api)[_-]?[a-z]*[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{8,})['\"]?"
group: 2
- method: GET
path:
# Version Control Files
- "{{BaseURL}}/.git/config"
- "{{BaseURL}}/.git/HEAD"
- "{{BaseURL}}/.git/index"
- "{{BaseURL}}/.git/logs/HEAD"
- "{{BaseURL}}/.git/refs/heads/master"
- "{{BaseURL}}/.git/refs/heads/main"
- "{{BaseURL}}/.gitignore"
- "{{BaseURL}}/.gitmodules"
- "{{BaseURL}}/.svn/entries"
- "{{BaseURL}}/.svn/wc.db"
- "{{BaseURL}}/.hg/hgrc"
- "{{BaseURL}}/.bzr/branch/branch.conf"
- "{{BaseURL}}/CVS/Root"
- "{{BaseURL}}/CVS/Entries"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "repositoryformatversion"
- "ref:"
- "tree"
- "parent"
- "author"
- "committer"
- ".git"
- "refs/heads"
- "password"
- "token"
- "secret"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(password|token|secret|key)[=:][\\s]*([\\w\\-@#$%^&*()+=]{6,})"
- "url[\\s]*=[\\s]*.*://([^:]+):([^@]+)@"
group: 2
- method: GET
path:
# Log Files with Potential Credential Leaks
- "{{BaseURL}}/error.log"
- "{{BaseURL}}/access.log"
- "{{BaseURL}}/debug.log"
- "{{BaseURL}}/application.log"
- "{{BaseURL}}/php_errors.log"
- "{{BaseURL}}/error_log"
- "{{BaseURL}}/logs/error.log"
- "{{BaseURL}}/logs/application.log"
- "{{BaseURL}}/logs/access.log"
- "{{BaseURL}}/logs/debug.log"
- "{{BaseURL}}/var/log/apache2/error.log"
- "{{BaseURL}}/storage/logs/laravel.log"
- "{{BaseURL}}/wp-content/debug.log"
- "{{BaseURL}}/laravel.log"
- "{{BaseURL}}/system.log"
- "{{BaseURL}}/security.log"
- "{{BaseURL}}/admin.log"
- "{{BaseURL}}/user.log"
- "{{BaseURL}}/login.log"
- "{{BaseURL}}/auth.log"
- "{{BaseURL}}/mysql.log"
- "{{BaseURL}}/sql.log"
- "{{BaseURL}}/transaction.log"
- "{{BaseURL}}/audit.log"
- "{{BaseURL}}/exception.log"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "password="
- "api_key="
- "token="
- "secret="
- "auth="
- "key="
- "username="
- "login="
- "passwd="
- "ERROR"
- "FATAL"
- "Exception"
- "Stack trace"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(password|api_key|token|secret|auth|key)[=:]['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?"
- "(?i)(username|login|user)[=:]['\"]?([\\w\\.-]+@[\\w\\.-]+|[\\w\\.-]{3,})['\"]?"
group: 2
- method: GET
path:
# CI/CD Files with Secrets
- "{{BaseURL}}/.travis.yml"
- "{{BaseURL}}/.gitlab-ci.yml"
- "{{BaseURL}}/.circleci/config.yml"
- "{{BaseURL}}/azure-pipelines.yml"
- "{{BaseURL}}/bitbucket-pipelines.yml"
- "{{BaseURL}}/.drone.yml"
- "{{BaseURL}}/.github/workflows/ci.yml"
- "{{BaseURL}}/.github/workflows/deploy.yml"
- "{{BaseURL}}/.github/workflows/build.yml"
- "{{BaseURL}}/.github/workflows/test.yml"
- "{{BaseURL}}/Jenkinsfile"
- "{{BaseURL}}/jenkins_config.xml"
- "{{BaseURL}}/buildspec.yml"
- "{{BaseURL}}/appspec.yml"
- "{{BaseURL}}/docker-compose.yml"
- "{{BaseURL}}/docker-compose.override.yml"
- "{{BaseURL}}/docker-compose.dev.yml"
- "{{BaseURL}}/docker-compose.prod.yml"
- "{{BaseURL}}/kubernetes_secrets.yml"
- "{{BaseURL}}/helm_values.yml"
- "{{BaseURL}}/terraform_vars.tf"
- "{{BaseURL}}/ansible_vault.yml"
- "{{BaseURL}}/cloudformation_params.json"
- "{{BaseURL}}/pulumi_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "password:"
- "token:"
- "secret:"
- "key:"
- "api_key:"
- "access_token:"
- "secure:"
- "encrypted:"
- "env:"
- "environment:"
- "variables:"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(password|token|secret|key|api_key|access_token):[\\s]*['\"]?([\\w\\-@#$%^&*()+=]{8,})['\"]?"
group: 2
- method: GET
path:
# Backup Files with Credentials
- "{{BaseURL}}/config.php.bak"
- "{{BaseURL}}/config.php~"
- "{{BaseURL}}/config.php.old"
- "{{BaseURL}}/config.php.orig"
- "{{BaseURL}}/config.php.save"
- "{{BaseURL}}/config.php.tmp"
- "{{BaseURL}}/config.json.bak"
- "{{BaseURL}}/config.xml.old"
- "{{BaseURL}}/settings.ini.orig"
- "{{BaseURL}}/credentials.json.bak"
- "{{BaseURL}}/secrets.yml.bak"
- "{{BaseURL}}/env.bak"
- "{{BaseURL}}/web.config.bak"
- "{{BaseURL}}/web.config.old"
- "{{BaseURL}}/web.config.orig"
- "{{BaseURL}}/app.config.bak"
- "{{BaseURL}}/application.properties.save"
- "{{BaseURL}}/appsettings.Development.json"
- "{{BaseURL}}/appsettings.Production.json"
- "{{BaseURL}}/appsettings.Staging.json"
- "{{BaseURL}}/launchSettings.json"
- "{{BaseURL}}/session_backup.json"
- "{{BaseURL}}/keychain_export.json"
- "{{BaseURL}}/vault_backup.json"
- "{{BaseURL}}/encrypted_backup.gpg"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "password"
- "secret"
- "key"
- "token"
- "credential"
- "auth"
- "api"
- "private"
- "<?php"
- "ConnectionStrings"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(password|secret|key|token|credential|auth|api)[_-]?[a-z]*[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?"
group: 2
- method: GET
path:
# Email and Communication Service Configuration
- "{{BaseURL}}/email_config.json"
- "{{BaseURL}}/smtp_config.json"
- "{{BaseURL}}/imap_config.json"
- "{{BaseURL}}/pop3_config.json"
- "{{BaseURL}}/mailserver_config.json"
- "{{BaseURL}}/mail_settings.php"
- "{{BaseURL}}/email_settings.php"
- "{{BaseURL}}/sendmail_config.php"
- "{{BaseURL}}/postfix_config.json"
- "{{BaseURL}}/dovecot_config.json"
- "{{BaseURL}}/mattermost_config.json"
- "{{BaseURL}}/rocket_chat.json"
- "{{BaseURL}}/telegram_config.json"
- "{{BaseURL}}/whatsapp_config.json"
- "{{BaseURL}}/signal_config.json"
- "{{BaseURL}}/zoom_config.json"
- "{{BaseURL}}/teams_config.json"
- "{{BaseURL}}/skype_config.json"
- "{{BaseURL}}/webex_config.json"
- "{{BaseURL}}/gotomeeting_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "smtp_password"
- "mail_password"
- "email_password"
- "api_key"
- "auth_token"
- "webhook"
- "bot_token"
- "client_secret"
- "access_token"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(smtp_password|mail_password|email_password|api_key|auth_token|bot_token|client_secret|access_token)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=]{6,})['\"]?"
group: 2
- method: GET
path:
# Package Manager and Dependency Files
- "{{BaseURL}}/composer.json"
- "{{BaseURL}}/composer.lock"
- "{{BaseURL}}/composer_auth.json"
- "{{BaseURL}}/package.json"
- "{{BaseURL}}/package-lock.json"
- "{{BaseURL}}/yarn.lock"
- "{{BaseURL}}/pnpm-lock.yaml"
- "{{BaseURL}}/Gemfile"
- "{{BaseURL}}/Gemfile.lock"
- "{{BaseURL}}/gem_credentials"
- "{{BaseURL}}/requirements.txt"
- "{{BaseURL}}/Pipfile"
- "{{BaseURL}}/Pipfile.lock"
- "{{BaseURL}}/poetry.lock"
- "{{BaseURL}}/setup.py"
- "{{BaseURL}}/pip_config"
- "{{BaseURL}}/npm_config"
- "{{BaseURL}}/npmrc"
- "{{BaseURL}}/.npmrc"
- "{{BaseURL}}/pom.xml"
- "{{BaseURL}}/build.gradle"
- "{{BaseURL}}/gradle.properties"
- "{{BaseURL}}/nuget.config"
- "{{BaseURL}}/packages.config"
- "{{BaseURL}}/project.json"
- "{{BaseURL}}/bower.json"
- "{{BaseURL}}/.bowerrc"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "dependencies"
- "devDependencies"
- "scripts"
- "repository"
- "auth-token"
- "registry"
- "token"
- "username"
- "password"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(auth-token|registry|token|username|password)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?"
group: 2
- method: GET
path:
# Network and VPN Configuration
- "{{BaseURL}}/vpn_config.json"
- "{{BaseURL}}/openvpn_config.ovpn"
- "{{BaseURL}}/wireguard_config.conf"
- "{{BaseURL}}/ipsec_config.conf"
- "{{BaseURL}}/l2tp_config.json"
- "{{BaseURL}}/pptp_config.json"
- "{{BaseURL}}/cisco_config.txt"
- "{{BaseURL}}/juniper_config.txt"
- "{{BaseURL}}/pfsense_config.xml"
- "{{BaseURL}}/mikrotik_config.rsc"
- "{{BaseURL}}/ftp_config.json"
- "{{BaseURL}}/sftp_config.json"
- "{{BaseURL}}/.netrc"
- "{{BaseURL}}/.ftpconfig"
- "{{BaseURL}}/.s3cfg"
- "{{BaseURL}}/.boto"
- "{{BaseURL}}/.credentials"
- "{{BaseURL}}/.pgpass"
- "{{BaseURL}}/.my.cnf"
- "{{BaseURL}}/.pymongo.conf"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "password"
- "secret"
- "key"
- "psk"
- "passphrase"
- "username"
- "login"
- "auth"
- "certificate"
- "private"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(password|secret|key|psk|passphrase|username|login|auth)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?"
group: 2
- method: GET
path:
# Payment Gateway and Service Configuration
- "{{BaseURL}}/stripe_config.json"
- "{{BaseURL}}/paypal_config.json"
- "{{BaseURL}}/payment_gateway.json"
- "{{BaseURL}}/square_config.json"
- "{{BaseURL}}/braintree_config.json"
- "{{BaseURL}}/authorize_net.json"
- "{{BaseURL}}/twilio_config.json"
- "{{BaseURL}}/sendgrid_config.json"
- "{{BaseURL}}/mailgun_config.json"
- "{{BaseURL}}/slack_config.json"
- "{{BaseURL}}/slack_webhook.json"
- "{{BaseURL}}/discord_webhook.json"
- "{{BaseURL}}/teams_webhook.json"
- "{{BaseURL}}/github_config.json"
- "{{BaseURL}}/bitbucket_config.json"
- "{{BaseURL}}/gitlab_config.json"
- "{{BaseURL}}/analytics_config.json"
- "{{BaseURL}}/google_analytics.json"
- "{{BaseURL}}/mixpanel_config.json"
- "{{BaseURL}}/amplitude_config.json"
- "{{BaseURL}}/segment_config.json"
- "{{BaseURL}}/intercom_config.json"
- "{{BaseURL}}/zendesk_config.json"
- "{{BaseURL}}/salesforce_config.json"
- "{{BaseURL}}/hubspot_config.json"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "api_key"
- "secret_key"
- "private_key"
- "client_secret"
- "auth_token"
- "access_token"
- "webhook_secret"
- "publishable_key"
- "merchant_id"
- "client_id"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(api_key|secret_key|private_key|client_secret|auth_token|access_token)[\"']?[\\s]*[=:][\\s]*[\"']?([\\w\\-@#$%^&*()+=]{8,})[\"']?"
group: 2
- method: GET
path:
# Mobile and Common Configuration Files
- "{{BaseURL}}/GoogleService-Info.plist"
- "{{BaseURL}}/google-services.json"
- "{{BaseURL}}/aws-exports.js"
- "{{BaseURL}}/amplify-meta.json"
- "{{BaseURL}}/serverless.yml"
- "{{BaseURL}}/now.json"
- "{{BaseURL}}/vercel.json"
- "{{BaseURL}}/netlify.toml"
- "{{BaseURL}}/heroku.yml"
- "{{BaseURL}}/procfile"
- "{{BaseURL}}/runtime.txt"
- "{{BaseURL}}/app.yaml"
- "{{BaseURL}}/app.yml"
- "{{BaseURL}}/firebase.json"
- "{{BaseURL}}/.firebaserc"
- "{{BaseURL}}/amplify.yml"
- "{{BaseURL}}/sam.yml"
- "{{BaseURL}}/template.yaml"
- "{{BaseURL}}/cloudbuild.yaml"
- "{{BaseURL}}/skaffold.yaml"
- "{{BaseURL}}/phpinfo.php"
- "{{BaseURL}}/info.php"
- "{{BaseURL}}/test.php"
- "{{BaseURL}}/admin.php"
- "{{BaseURL}}/login.php"
- "{{BaseURL}}/crossdomain.xml"
- "{{BaseURL}}/clientaccesspolicy.xml"
- "{{BaseURL}}/humans.txt"
- "{{BaseURL}}/sitemap.xml"
- "{{BaseURL}}/robots.txt"
headers:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "API_KEY"
- "CLIENT_SECRET"
- "GOOGLE_APP_ID"
- "FIREBASE_API_KEY"
- "AWS_REGION"
- "api_key"
- "client_secret"
- "private_key"
- "auth_token"
- "password"
- "secret"
- "key"
- "token"
- "credential"
- "auth"
- "mysql"
- "postgres"
- "mongodb"
- "redis"
- "aws"
- "google"
- "azure"
- "github"
- "gitlab"
- "docker"
- "kubernetes"
condition: or
case-insensitive: true
- type: word
words:
- "<html"
- "<head"
- "<title"
- "<body"
- "<div"
condition: or
negative: true
extractors:
- type: regex
part: body
regex:
- "(?i)(API_KEY|CLIENT_SECRET|GOOGLE_APP_ID|FIREBASE_API_KEY|api_key|client_secret|private_key|auth_token|password|secret|key|token|credential|auth)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{6,})['\"]?"
- "(?i)(database|mysql|postgres|mongodb|redis)[_-]?(password|user|username|host|port)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{3,})['\"]?"
- "(?i)(aws|google|azure|github|gitlab|bitbucket)[_-]?(key|token|secret|password)[\\s]*[=:][\\s]*['\"]?([\\w\\-@#$%^&*()+=/.]{8,})['\"]?"
group: 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment