Skip to main content
Skip table of contents

Overview

It's a significant risk in Confluence – any user can post access keys, passwords, and many other kinds of sensitive information in plain text, right into a wiki page, blog post, or a file attached to a page.

Confluence has no built-in mechanism to detect content that contains sensitive credentials that could fall into the wrong hands, and typical workflows make this an all-too-easy omission, even by well intentioned users.

This poses an enormous security risk, as access to such information could lead to privilege escalation, either by malicious users who have network access to the Confluence instance, or by an external attacker who has bridged the perimeter security. Just imagine what someone could do with a password to a network device, an AWS access key, or financial account information.

To help prevent such situations, Security for Confluence integrates directly with Confluence, providing tools to automatically detect attempts to improperly store sensitive information, accidental or otherwise.

Scanning spaces from the Soteri Dashboard

Scans may be triggered for spaces individually or, if you are a Confluence administrator, or any user granted explicit app access, all at once. The easiest way to do either is via the Soteri Dashboard, which contains all spaces for which you have administration privileges.

To reach the Soteri Dashboard, click the padlock icon in the top-right toolbar in Confluence:

Then, to trigger a scan, you can either click the arrow icon next to the space, and select “Scan”:

Or, if you are a Confluence administrator, or any user granted explicit app access, click the “Scan All” button:

Learn more about the Soteri Dashboard.

Viewing scan results in the Security Analysis

The Security Analysis page allows you to view the results of a scan. To view a space’s Security Analysis, you may either click the space’s name in the Soteri Dashboard:

Or click “Security Analysis” while viewing the space normally in Confluence:

From the Security Analysis page, you can view and disposition scan findings for that particular space, including hiding false positives. You may also trigger a scan using the “Scan Space” button:

Learn more about the Security Analysis page.

What can Security for Confluence Scan?

Content

Scanned

Page bodies

(tick)

Blog posts

(tick)

Attachments - See Scanning Files Attached to Pages for more information on supported file types.

(tick)

Comments (including inline)

(error)

Drafts

(error)

Supported secrets and keys

Here is the list of vulnerabilities that are currently detected by Soteri's built-in scanning rules.

IT Services

Rule Name

Description

AWS_CLIENT_ID

AWS Identity and Access Management Client IDs uniquely reference users, access keys. These unique IDs can provide access to your AWS instance by allowing users to get keys.

AWS_MWS_KEY

AWS Marketplace Web Service API Keys allow programmatic interfaces to Amazon Seller stores.

AWS_SECRET_ACCESS_KEY

AWS Secret Access Keys allow for authenticated AWS CLI, SDK, and API access.

AZURE_ACCESS_KEY

Azure Access Keys provide access to all data stored in Microsoft Azure.

DYNATRACE_CLIENT_SECRET

Dynatrace Client Secrets allow for access to your Dynatrace instance API.

EC_PRIVATE_KEY

Elliptical Curve Private Keys - We detect many common SSH Private Key formats.

FACEBOOK_CLIENT_ID

Facebook Application IDs

FACEBOOK_SECRET_KEY

Facebook Application Secrets

GENERIC_API_KEY

Generic API Key - Contains logic to detect generic API Keys.

GENERIC_PASSWORD

Generic Passwords - Contains logic to detect generic passwords. Note that this rule may generate many false positives, and is disabled by default.

GENERIC_SECRET

Generic Secrets - Contains logic to detect generic secrets.

GITHUB_KEY

Github Authentication Tokens - This rule detects classic Github Authentication Tokens for personal use (both “classic” and “fine-grained”), as well as for Github Application OAuth.

GOOGLE_API_KEY

Google API Keys

GOOGLE_OAUTH

Google OAuth URLs

GOOGLE_OAUTH_ACCESS_TOKEN

Google OAuth Tokens

HEROKU_API_KEY

Heroku API Keys

LINKEDIN_CLIENT_ID

LinkedIn Client IDs

LINKEDIN_CLIENT_SECRET

LinkedIn Client Secrets

MAILCHIMP_API_KEY

Mailchimp API Key

MAILGUN_API_KEY

Mailgun API Key

PASSWORD_IN_URL

Generic Password in URL - Contains logic to detect passwords embedded in URLs

PAYPAL_BRAINTREE_ACCESS_TOKEN

Paypal's Braintree Access Token

PGP_PRIVATE_KEY

PGP Private Keys

PKCS8_PRIVATE_KEY

PKSC8 Private Keys - We detect many common SSH Private Key formats.

PYPI_UPLOAD_TOKEN

Python Package Index (PyPI) Upload Tokens allow verified publishing of python package to the global repository.

RSA_PRIVATE_KEY

We detect many common SSH Private Key formats.

SENDGRID_API_KEY

Sendgrid API Keys

SHOPIFY_PARTNER_API_ACCESS_TOKEN

Shopify Partner API access Tokens provide access to the a given store's API.

SHOPIFY_SECRETS

Shopify API Secrets give access to all aspects of the general Shopify API – this rule contains logic to detect Shared Secrets and Access Tokens for regular, Custom, and Private applications.

SLACK

Slack API Tokens give access to various API features.

SLACK_WEBHOOK

Slack Webhooks are secret URLs which give similar access as API Tokens.

SQUARE_ACCESS_TOKEN

Square Access Tokens

SQUARE_OAUTH_SECRET

Square OAuth Secrets

SSH_PRIVATE_KEY

Generic SSH Private Key - We detect many common SSH Private Key formats.

SSH_PUBLIC_KEY

Public Key-half of key-based authentication. Weak public keys can be brute-force cracked by modern computers, and can represent equal vulnerability to the private-key half of the pair. Since properly-generated public keys are not a threat, this rule is disabled by default.

TROJAN_SOURCE

Trojan Source detects left-to-right and right-to-left unicode control characters which can be used to obscure malicious code. For more information, see the Trojan Source paper and CVE-2021-42574 in the NIST Database.

Note: the homoglyph attack described in this paper, and tracked as CVE-2021-42694 in the NIST Database, is not detected by this rule, as it can generate a lot of false positives for non-English languages. See “Mitigating Trojan Source Attacks” for Soteri’s recommendations if you’re interested in detecting potential homoglyph attacks.

STRIPE_API_KEY

Stripe API Key

TWILIO_ACCOUNT_ID

Twilio Account ID - part of the Twilio API

TWILIO_API_KEY

Twilio API Key - part of the Twilio API

TWITTER_CLIENT_ID

Twitter Client ID

TWITTER_SECRET_KEY

Twitter Secret Key

Financial

Rule Name

Description

BANK_INFORMATION

Detects bank account information like routing numbers, etc. which may accompany more sensitive information.

CREDIT_CARD_NUMBERS

Detects credit card numbers.

SOCIAL_SECURITY_NUMBERS

Detects United States Social Security Numbers.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.