Skip to main content
Skip table of contents

Example Scan Findings Detected

This page provides real-world examples of credentials and vulnerabilities actually detected and intercepted in scans run by Soteri's Security for Bitbucket. Its algorithms can detect private keys, account numbers, OAuth tokens, and numerous other credentials that use proprietary and deterministic string formats.

This is just a sampling of what can be detected by Soteri's Security for Bitbucket! For a comprehensive list of built-in Vulnerability Detection Capabilities, see Built-In Scanning Rules .

Amazon Web Services (AWS)

AWS is a widely used cloud platform, and if your organization is on it, you can't risk exposing access information by committing it to source code. As you spin up new VMs or add users, there are inevitably multiple instances of access keys passed around, and used within the source code – even if they're just hard-coded for the convenience of testing.

AWS Key  

PY
aws_access_key_id='AKIAIO5FODNN7EXAMPLE'

JS
const AWSKEY = "AKIALALEMEL33243OLIB"

CPP
// Tested with AWS "AKIALALEMEL33243OLIA"

CPP
Here's an AWS secret: AKIALALEMEL33243OLIA

AWS Secret   

JS
const AWSSECRET = "7ce556A3bD234Cc1Ff9E8A5C324C0bB70aA21B6d"

Facebook 

Facebook has had its own share of incidents, but there's no reason to risk exposing your access credentials with a careless push to Bitbucket. Security for Bitbucket scans both for Facebook client IDs and Facebook secrets.

Facebook Client ID  

JAVA
OAuthClientRequest.tokenProvider(OAuthProviderType.FACEBOOK).setClientId("950513172001321")

Facebook Secret  

JS
const fb_secret = "3b2e464637e5159024254dd78aadb17a"

Google

With the widespread use of Google as an authentication service, accidentally committing a Google OAuth key can expose crucial information for attackers, even if the commit is quickly reverted. Security for Bitbucket supports scanning all incoming commits for Google OAuth tokens and OAuth client IDs, as well as Google API keys.

Google OAuth Access Token

JAVA
static final auth_test = "ya29.AHES67zeEn-RDg9CA5gGKMLKuG4uVB7W4O4WjNr-NBfY6Dtad4vbIZ";

Google OAuth

JAVA
static final client_test = "147328480433-ivpqgaaldsjv9br163dockt29e200r62.apps.googleusercontent.com";

Google API token 

JS
const API_TOKEN = "AIzaSyCLWjZ0_ETxgPOxH-gQYT9ODeWcBBZU5-Q"

Github

Github has credentials which can be used like passwords to authenticate individual developers, OAuth tokens, users with Github server applications, and refresh tokens to get new credentials. Security for Bitbucket scans for all kinds of Github Authentication Tokens.

Github Personal Access Tokens

PY
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

Github OAuth Tokens

PY
gho_26C7e42sdflkj32cE7710c824347Ae178B4b

Github User to Server and Server to User Tokens

PY
ghu_16C7e42F292c6912E7710c838347Ae178B4a

PY
ghs_flkj32cE7710c8flkj32cE7710c8flkj32cE

Github Refresh Tokens

PY
ghr_1B4a2e77838347a7E420ce178F2E7c6912E169246c34E1ccbF66C46812d16D5B1A9Dc86A1498

Generic hard-coded passwords

Passwords are still the most common authentication mechanism around, despite the prevalence of more advanced methods such as SSH keys and API keys. To protect against passwords which are accidentally committed, Security for Bitbucket scans incoming commits for generic patterns which look suspiciously like hardcoded passwords. Here are some examples that would be flagged if the GENERIC_PASSWORD rule were turned on:

JAVA
passwd = "qwerty"

db_pass = "qwerty"

PASS = 'secret'

password = "secret"

Note that, due to its nature, the GENERIC_PASSWORD rule may generate more false positives than the more specific rules. To mitigate these, developers can add an inline annotation to inform Security for Bitbucket to ignore the occurrence; see Allow-listing Detected Secrets.

Heroku

Production Heroku API keys can easily end up committed in your repository when a testing script gets accidentally pushed.

Heroku API key

JS
heroku_auth = C7A8B9B3-2C9C-BECC-4C7B-613CB6C9BFF3 # test only

Slack

Organizations who rely on Slack for collaboration and team communication can be easily disrupted by a breach. Our algorithms are sensitive to both web hooks and tokens used on the platform. Given all the potential integrations among Slack, AWS, and source control, the Security for Bitbucket algorithms can plug significant vulnerabilities by detecting access credentials for all three. 

Slack Webhook  

PY
hook = "https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"

Slack Token  

PY
token = "xoxo-523423-234243-234233-e039d02840a0b9379c"

JS
const tok = "xoxa-2-511111111-31111111111-3111111111111-e039d02840a0b9379c"

Mailchimp

Security for Bitbucket Server identifies and intercepts commits that contain API keys for either Mailchimp or Mailgun.

API Keys  

JS
MAILCHIMP_KEY = "a2937653ed38c31a43ea46e2b19257db-us2"

JS
# Using 343ea45721923ed956e2b38c31db76aa-us30 for this campaign

Mailgun

API Key 

JAVA
MAILGUN_KEY = "key-eg8f02fb71f9ee886e96588013241ca0"

Private Keys (SSH, PGP, etc.)

Accidentally committing SSH private keys can leave critical production systems wide open to attackers. It's an easy mistake to make, as private and public keys are generated together and often reside in the same directory on a developer's machine. Security for Bitbucket scans for private keys in incoming commits and blocks the corresponding commits.

BASH
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

BASH
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

BASH
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----

BASH
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----

PayPal Braintree

Access credentials for direct interaction with fintech are a particular priority. Our algorithms detect and block Braintree access tokens used in PayPal and block any commit that contains them.

Braintree Access Token 

JAVA
PAYPAL_BRAINTREE_ACCESS_TOKEN = "access_token$production$696htvk3y5xcfnsn$42cde001d7a240d98ded578b4c1321c9"

Square

The Square API uses both personal and OAuth access tokens. Our application detects and blocks both.

Access Token

JS
SQUARE_ACCESS_TOKEN = "sq0atp-ZHE5_L-3DJZ9Ti7iDEADBEEF"

OAUTH Secret 

JS
SQUARE_OAUTH_SECRET = "sq0csp-mE0eOD3rS7WsHFXSu2gU9DPumSr2r1AImSdjIkuyza8"

Stripe

Stripe is often cited as the reference standard API for its structure and documentation. Given its wide use, there's an elevated likelihood that Stripe API keys are already embedded in your source deck or supporting files. Our application detects variations on the Stripe API key format, and intercepts them before they can be committed to Bitbucket.

API Keys

JS
STRIPE_API_KEY = "sk_live_ReTllpYQYfIZu2Jnf2lAPFjD"

stripe_creds = "rk_live_5TcWfjKmJgpql9hjpRnwRXbT"

Twilio

Twilio is another API that's in wide use. The Security for Bitbucket algorithms can spot both its API keys and Account IDs, and prevent them from being pushed to your source code repository.

API Key

JS
TWILIO_API_KEY = "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Account ID

JS
TWILIO_ACCOUNT_ID = "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

URLs with embedded credentials

During testing, passwords can be directly embedded in URLs to facilitate fetching protected resources. These can then be inadvertently committed to your code repository.

Password in URL

PY
response = urllib2.urlopen('https://username:password@myservice.com')

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.