Example Scan Findings Detected
This page provides real-world examples of credentials and vulnerabilities actually detected and intercepted in scans run by Soteri's Security for Bitbucket. Its algorithms can detect private keys, account numbers, OAuth tokens, and numerous other credentials that use proprietary and deterministic string formats.
This is just a sampling of what can be detected by Soteri's Security for Bitbucket! For a comprehensive list of built-in Vulnerability Detection Capabilities, see Built-In Scanning Rules .
Amazon Web Services (AWS)
AWS is a widely used cloud platform, and if your organization is on it, you can't risk exposing access information by committing it to source code. As you spin up new VMs or add users, there are inevitably multiple instances of access keys passed around, and used within the source code – even if they're just hard-coded for the convenience of testing.
AWS Key
aws_access_key_id='AKIAIO5FODNN7EXAMPLE'
const AWSKEY = "AKIALALEMEL33243OLIB"
// Tested with AWS "AKIALALEMEL33243OLIA"
Here's an AWS secret: AKIALALEMEL33243OLIA
AWS Secret
const AWSSECRET = "7ce556A3bD234Cc1Ff9E8A5C324C0bB70aA21B6d"
Facebook has had its own share of incidents, but there's no reason to risk exposing your access credentials with a careless push to Bitbucket. Security for Bitbucket scans both for Facebook client IDs and Facebook secrets.
Facebook Client ID
OAuthClientRequest.tokenProvider(OAuthProviderType.FACEBOOK).setClientId("950513172001321")
Facebook Secret
const fb_secret = "3b2e464637e5159024254dd78aadb17a"
With the widespread use of Google as an authentication service, accidentally committing a Google OAuth key can expose crucial information for attackers, even if the commit is quickly reverted. Security for Bitbucket supports scanning all incoming commits for Google OAuth tokens and OAuth client IDs, as well as Google API keys.
Google OAuth Access Token
static final auth_test = "ya29.AHES67zeEn-RDg9CA5gGKMLKuG4uVB7W4O4WjNr-NBfY6Dtad4vbIZ";
Google OAuth
static final client_test = "147328480433-ivpqgaaldsjv9br163dockt29e200r62.apps.googleusercontent.com";
Google API token
const API_TOKEN = "AIzaSyCLWjZ0_ETxgPOxH-gQYT9ODeWcBBZU5-Q"
Github
Github has credentials which can be used like passwords to authenticate individual developers, OAuth tokens, users with Github server applications, and refresh tokens to get new credentials. Security for Bitbucket scans for all kinds of Github Authentication Tokens.
Github Personal Access Tokens
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
Github OAuth Tokens
gho_26C7e42sdflkj32cE7710c824347Ae178B4b
Github User to Server and Server to User Tokens
ghu_16C7e42F292c6912E7710c838347Ae178B4a
ghs_flkj32cE7710c8flkj32cE7710c8flkj32cE
Github Refresh Tokens
ghr_1B4a2e77838347a7E420ce178F2E7c6912E169246c34E1ccbF66C46812d16D5B1A9Dc86A1498
Generic hard-coded passwords
Passwords are still the most common authentication mechanism around, despite the prevalence of more advanced methods such as SSH keys and API keys. To protect against passwords which are accidentally committed, Security for Bitbucket scans incoming commits for generic patterns which look suspiciously like hardcoded passwords. Here are some examples that would be flagged if the GENERIC_PASSWORD rule were turned on:
passwd = "qwerty"
db_pass = "qwerty"
PASS = 'secret'
password = "secret"
Note that, due to its nature, the GENERIC_PASSWORD rule may generate more false positives than the more specific rules. To mitigate these, developers can add an inline annotation to inform Security for Bitbucket to ignore the occurrence; see Allow-listing Detected Secrets.
Heroku
Production Heroku API keys can easily end up committed in your repository when a testing script gets accidentally pushed.
Heroku API key
heroku_auth = C7A8B9B3-2C9C-BECC-4C7B-613CB6C9BFF3 # test only
Slack
Organizations who rely on Slack for collaboration and team communication can be easily disrupted by a breach. Our algorithms are sensitive to both web hooks and tokens used on the platform. Given all the potential integrations among Slack, AWS, and source control, the Security for Bitbucket algorithms can plug significant vulnerabilities by detecting access credentials for all three.
Slack Webhook
hook = "https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
Slack Token
token = "xoxo-523423-234243-234233-e039d02840a0b9379c"
const tok = "xoxa-2-511111111-31111111111-3111111111111-e039d02840a0b9379c"
Mailchimp
Security for Bitbucket Server identifies and intercepts commits that contain API keys for either Mailchimp or Mailgun.
API Keys
MAILCHIMP_KEY = "a2937653ed38c31a43ea46e2b19257db-us2"
# Using 343ea45721923ed956e2b38c31db76aa-us30 for this campaign
Mailgun
API Key
MAILGUN_KEY = "key-eg8f02fb71f9ee886e96588013241ca0"
Private Keys (SSH, PGP, etc.)
Accidentally committing SSH private keys can leave critical production systems wide open to attackers. It's an easy mistake to make, as private and public keys are generated together and often reside in the same directory on a developer's machine. Security for Bitbucket scans for private keys in incoming commits and blocks the corresponding commits.
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
PayPal Braintree
Access credentials for direct interaction with fintech are a particular priority. Our algorithms detect and block Braintree access tokens used in PayPal and block any commit that contains them.
Braintree Access Token
PAYPAL_BRAINTREE_ACCESS_TOKEN = "access_token$production$696htvk3y5xcfnsn$42cde001d7a240d98ded578b4c1321c9"
Square
The Square API uses both personal and OAuth access tokens. Our application detects and blocks both.
Access Token
SQUARE_ACCESS_TOKEN = "sq0atp-ZHE5_L-3DJZ9Ti7iDEADBEEF"
OAUTH Secret
SQUARE_OAUTH_SECRET = "sq0csp-mE0eOD3rS7WsHFXSu2gU9DPumSr2r1AImSdjIkuyza8"
Stripe
Stripe is often cited as the reference standard API for its structure and documentation. Given its wide use, there's an elevated likelihood that Stripe API keys are already embedded in your source deck or supporting files. Our application detects variations on the Stripe API key format, and intercepts them before they can be committed to Bitbucket.
API Keys
STRIPE_API_KEY = "sk_live_ReTllpYQYfIZu2Jnf2lAPFjD"
stripe_creds = "rk_live_5TcWfjKmJgpql9hjpRnwRXbT"
Twilio
Twilio is another API that's in wide use. The Security for Bitbucket algorithms can spot both its API keys and Account IDs, and prevent them from being pushed to your source code repository.
API Key
TWILIO_API_KEY = "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Account ID
TWILIO_ACCOUNT_ID = "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
URLs with embedded credentials
During testing, passwords can be directly embedded in URLs to facilitate fetching protected resources. These can then be inadvertently committed to your code repository.
Password in URL
response = urllib2.urlopen('https://username:password@myservice.com')