Merge pull request #547 from mschader/patch-6

Api Key Leaks: Add Trivy to tools section
This commit is contained in:
Swissky 2022-10-01 19:01:47 +02:00 committed by GitHub
commit 9d1421a6c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -24,15 +24,16 @@
## Tools
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
```ps1
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
trufflehog git https://github.com/trufflesecurity/trufflehog.git
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
```
- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
## Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.