Example Scan Findings Detected
This page provides real-world examples of credentials and vulnerabilities actually detected and intercepted in scans run by Soteri's Security for Bitbucket. Its algorithms can detect private keys, account numbers, OAuth tokens, and numerous other credentials that use proprietary and deterministic string formats.
This is just a sampling of what can be detected by Soteri's Security for Bitbucket! For a comprehensive list of built-in Vulnerability Detection Capabilities, see Built-In Scanning Rules .
Amazon Web Services (AWS)
AWS is a widely used cloud platform, and if your organization is on it, you can't risk exposing access information by committing it to source code. As you spin up new VMs or add users, there are inevitably multiple instances of access keys passed around, and used within the source code – even if they're just hard-coded for the convenience of testing.
const AWSKEY = "AKIALALEMEL33243OLIB"
// Tested with AWS "AKIALALEMEL33243OLIA"
Here's an AWS secret: AKIALALEMEL33243OLIA
const AWSSECRET = "7ce556A3bD234Cc1Ff9E8A5C324C0bB70aA21B6d"
Facebook has had its own share of incidents, but there's no reason to risk exposing your access credentials with a careless push to Bitbucket. Security for Bitbucket scans both for Facebook client IDs and Facebook secrets.
Facebook Client ID
const fb_secret = "3b2e464637e5159024254dd78aadb17a"
With the widespread use of Google as an authentication service, accidentally committing a Google OAuth key can expose crucial information for attackers, even if the commit is quickly reverted. Security for Bitbucket supports scanning all incoming commits for Google OAuth tokens and OAuth client IDs, as well as Google API keys.
Google OAuth Access Token
static final auth_test = "ya29.AHES67zeEn-RDg9CA5gGKMLKuG4uVB7W4O4WjNr-NBfY6Dtad4vbIZ";
static final client_test = "147328480433-ivpqgaaldsjv9br163dockt29e200r62.apps.googleusercontent.com";
Google API token
const API_TOKEN = "AIzaSyCLWjZ0_ETxgPOxH-gQYT9ODeWcBBZU5-Q"
Github has credentials which can be used like passwords to authenticate individual developers, OAuth tokens, users with Github server applications, and refresh tokens to get new credentials. Security for Bitbucket scans for all kinds of Github Authentication Tokens.
Github Personal Access Tokens
Github OAuth Tokens
Github User to Server and Server to User Tokens
Github Refresh Tokens
Generic hard-coded passwords
Passwords are still the most common authentication mechanism around, despite the prevalence of more advanced methods such as SSH keys and API keys. To protect against passwords which are accidentally committed, Security for Bitbucket scans incoming commits for generic patterns which look suspiciously like hardcoded passwords. Here are some examples that would be flagged if the GENERIC_PASSWORD rule were turned on:
passwd = "qwerty" db_pass = "qwerty" PASS = 'secret' password = "secret"
Note that, due to its nature, the GENERIC_PASSWORD rule may generate more false positives than the more specific rules. To mitigate these, developers can add an inline annotation to inform Security for Bitbucket to ignore the occurrence; see Allow-listing Detected Secrets.
Production Heroku API keys can easily end up committed in your repository when a testing script gets accidentally pushed.
Heroku API key
heroku_auth = C7A8B9B3-2C9C-BECC-4C7B-613CB6C9BFF3 # test only
Organizations who rely on Slack for collaboration and team communication can be easily disrupted by a breach. Our algorithms are sensitive to both web hooks and tokens used on the platform. Given all the potential integrations among Slack, AWS, and source control, the Security for Bitbucket algorithms can plug significant vulnerabilities by detecting access credentials for all three.
hook = "https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
token = "xoxo-523423-234243-234233-e039d02840a0b9379c"
const tok = "xoxa-2-511111111-31111111111-3111111111111-e039d02840a0b9379c"
Security for Bitbucket Server identifies and intercepts commits that contain API keys for either Mailchimp or Mailgun.
MAILCHIMP_KEY = "a2937653ed38c31a43ea46e2b19257db-us2"
# Using 343ea45721923ed956e2b38c31db76aa-us30 for this campaign
MAILGUN_KEY = "key-eg8f02fb71f9ee886e96588013241ca0"
Private Keys (SSH, PGP, etc.)
Accidentally committing SSH private keys can leave critical production systems wide open to attackers. It's an easy mistake to make, as private and public keys are generated together and often reside in the same directory on a developer's machine. Security for Bitbucket scans for private keys in incoming commits and blocks the corresponding commits.
-----BEGIN OPENSSH PRIVATE KEY----- ... -----END OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK----- ... -----END PGP PRIVATE KEY BLOCK-----
-----BEGIN EC PRIVATE KEY----- ... -----END EC PRIVATE KEY-----
Access credentials for direct interaction with fintech are a particular priority. Our algorithms detect and block Braintree access tokens used in PayPal and block any commit that contains them.
Braintree Access Token
PAYPAL_BRAINTREE_ACCESS_TOKEN = "access_token$production$696htvk3y5xcfnsn$42cde001d7a240d98ded578b4c1321c9"
The Square API uses both personal and OAuth access tokens. Our application detects and blocks both.
SQUARE_ACCESS_TOKEN = "sq0atp-ZHE5_L-3DJZ9Ti7iDEADBEEF"
SQUARE_OAUTH_SECRET = "sq0csp-mE0eOD3rS7WsHFXSu2gU9DPumSr2r1AImSdjIkuyza8"
Stripe is often cited as the reference standard API for its structure and documentation. Given its wide use, there's an elevated likelihood that Stripe API keys are already embedded in your source deck or supporting files. Our application detects variations on the Stripe API key format, and intercepts them before they can be committed to Bitbucket.
STRIPE_API_KEY = "sk_live_ReTllpYQYfIZu2Jnf2lAPFjD" stripe_creds = "rk_live_5TcWfjKmJgpql9hjpRnwRXbT"
Twilio is another API that's in wide use. The Security for Bitbucket algorithms can spot both its API keys and Account IDs, and prevent them from being pushed to your source code repository.
TWILIO_API_KEY = "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
TWILIO_ACCOUNT_ID = "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
URLs with embedded credentials
During testing, passwords can be directly embedded in URLs to facilitate fetching protected resources. These can then be inadvertently committed to your code repository.
Password in URL
response = urllib2.urlopen('https://username:[email protected]')