Merge pull request #547 from mschader/patch-6

Api Key Leaks: Add Trivy to tools section
This commit is contained in:
Swissky 2022-10-01 19:01:47 +02:00 committed by GitHub
commit 9d1421a6c3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -24,15 +24,16 @@
## Tools ## Tools
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) - [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) - [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
```ps1 ```ps1
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
trufflehog git https://github.com/trufflesecurity/trufflehog.git trufflehog git https://github.com/trufflesecurity/trufflehog.git
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
``` ```
- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
## Exploit ## Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token. The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.