Api Key Leaks: Add Trivy to tools section

This commit is contained in:
Markus 2022-10-01 17:20:51 +02:00 committed by GitHub
parent 72a8556dc9
commit b7d275d5b0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -24,15 +24,16 @@
## Tools ## Tools
- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) - [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) - [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
```ps1 ```ps1
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
trufflehog git https://github.com/trufflesecurity/trufflehog.git trufflehog git https://github.com/trufflesecurity/trufflehog.git
trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
``` ```
- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
## Exploit ## Exploit
The following commands can be used to takeover accounts or extract personal information from the API using the leaked token. The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.