It's a significant risk in the Confluence environment – any user can post sensitive information such as passwords, public keys, access keys, etc., in cleartext, right into a space or page.
Confluence has no built-in mechanism to detect content that contains sensitive credentials that could fall into the wrong hands; the typical workflows make this an all-too-easy omission even by well intentioned users.
This poses an enormous security risk as this information could be passwords for network devices, private keys, or even personal credentials for highly sensitive systems. This can lead to privilege escalation, either by malicious users who have network access to the Confluence instance, or by an external attacker who has bridged perimeter security.
Our application integrates with Confluence to actively detect attempts to check in sensitive information, accidental or otherwise.
Content can be scanned manually by selecting space or specific page to scan or automatically once new content is published by enabling “Scan new content automatically“ switch for the space.
To view and trigger security scans, you will need Space administer permissions. Navigate to your space of choice, and then go to the Security Scan Tab.
This will take you to the Security Scan page:
Supported Secrets and Keys
Here is the list of vulnerabilities that are currently detected by Soteri's built-in scanning rules.
AWS Identity and Access Management Client IDs uniquely reference users, access keys. These unique IDs can provide access to your AWS instance by allowing users to get keys.
AWS Marketplace Web Service API Keys allow programmatic interfaces to Amazon Seller stores.
AWS Secret Access Keys allow for authenticated AWS CLI, SDK, and API access.
Azure Access Keys provide access to all data stored in Microsoft Azure.
Dynatrace Client Secrets allow for access to your Dynatrace instance API.
Elliptical Curve Private Keys - We detect many common SSH Private Key formats.
Facebook Application IDs
Facebook Application Secrets
Generic API Key - Contains logic to detect generic API Keys.
Generic Passwords - Contains logic to detect generic passwords. Note that this rule may generate many false positives, and is disabled by default.
Generic Secrets - Contains logic to detect generic secrets.
Github Authentication Tokens - This rule detects Github Authentication Tokens for personal use as well as for Github Application OAuth.
Google API Keys
Google OAuth URLs
Google OAuth Tokens
Heroku API Keys
LinkedIn Client IDs
LinkedIn Client Secrets
Mailchimp API Key
Mailgun API Key
Generic Password in URL - Contains logic to detect passwords embedded in URLs
PGP Private Keys
PKSC8 Private Keys - We detect many common SSH Private Key formats.
Python Package Index (PyPI) Upload Tokens allow verified publishing of python package to the global repository.
We detect many common SSH Private Key formats.
Shopify Partner API access Tokens provide access to the a given store's API.
Shopify API Secrets give access to all aspects of the general Shopify API – this rule contains logic to detect Shared Secrets and Access Tokens for regular, Custom, and Private applications.
Slack API Tokens give access to various API features.
Slack Webhooks are secret URLs which give similar access as API Tokens.
Square Access Tokens
Square OAuth Secrets
Generic SSH Private Key - We detect many common SSH Private Key formats.
Public Key-half of key-based authentication. Weak public keys can be brute-force cracked by modern computers, and can represent equal vulnerability to the private-key half of the pair. Since properly-generated public keys are not a threat, this rule is disabled by default.
Trojan Source detects left-to-right and right-to-left unicode control characters which can be used to obscure malicious code. For more information, see the Trojan Source paper and CVE-2021-42574 in the NIST Database.
Note: the homoglyph attack described in this paper, and tracked as CVE-2021-42694 in the NIST Database, is not detected by this rule, as it can generate a lot of false positives for non-English languages. See Mitigating Trojan Source attacks for Soteri’s recommendations if you’re interested in detecting potential homoglyph attacks.
Stripe API Key
Twilio Account ID - part of the Twilio API
Twilio API Key - part of the Twilio API
Twitter Client ID
Twitter Secret Key
Detects bank account information like routing numbers, etc. which may accompany more sensitive information.
Detects credit card numbers.
Detects United States Social Security Numbers.