This page provides real-world examples of credentials and vulnerabilities actually detected and intercepted by Soteri's Security for Bitbucket Server. Its algorithms can detect private keys, account numbers, OAuth tokens, and numerous other credentials that use proprietary and deterministic string formats:

Amazon Web Services (AWS)

There's no more widely used cloud platform than AWS and if your organization is on it, you can't risk exposing access information and committing it to source code. As you spin up new VMs or add users, there are inevitably multiple instances of access keys passed around, and used within the source code -- even if they're just hard-coded for the convenience of testing.

AWS Key  

    aws_access_key_id='AKIAIO5FODNN7EXAMPLE'
PY
	const AWSKEY = "AKIALALEMEL33243OLIBE"
JS
	// Tested with AWS "AKIALALEMEL33243OLIAE"
CPP
	Here's an AWS secret: AKIALALEMEL33243OLIAE
CPP

AWS Secret   

	const AWSSECRET = "7CE556A3BC234CC1FF9E8A5C324C0BB70AA21B6D"
JS

Facebook 

Facebook has had its own share of incidents, but there's no reason to risk exposing your access credentials with a careless push to Bitbucket. Security for Bitbucket scans both for facebook client IDs and facebook secrets.

Facebook Client ID  

OAuthClientRequest.tokenProvider(OAuthProviderType.FACEBOOK).setClientId("950513172001321")
JAVA

Facebook Secret  

const fb_secret = "3b2e464637e5159024254dd78aadb17a"
JS

Google

With the widespread use of Google as an authentication service, accidentally committing a google OAuth key can leave crucial information for attackers, even if the commit is quickly reverted. Security for Bitbucket supports scanning all incoming commits for Google OAuth tokens and OAuth client IDs, as well as Google API keys.

Google OAuth 

static final auth_test = "ya29.AHES67zeEn-RDg9CA5gGKMLKuG4uVB7W4O4WjNr-NBfY6Dtad4vbIZ";
JAVA
static final client_test = "147328480433-ivpqgaaldsjv9br163dockt29e200r62.apps.googleusercontent.com";
JAVA

Google API token 

const API_TOKEN = "AIzaSyCLWjZ0_ETxgPOxH-gQYT9ODeWcBBZU5-Q"
JS

Generic hard-coded passwords

Passwords are still the most common authentication mechanism around, despite the prevalence of more advanced methods such as SSH keys and API keys. To protect against passwords which are accidentally committed, Security for Bitbucket scans incoming commits for generic patterns which look suspiciously like hardcoded passwords. Here are some examples that would be flagged:

passwd = "qwerty"

db_pass = "qwerty"

PASS = 'secret'

password = "secret"
JAVA

Note that, due to its nature, the generic password rule may generate more false positives than the more specific rules – developers can add an inline annotation to indicate to Security for Bitbucket to ignore the occurrence. See Whitelisting Detected Secrets.

Heroku

Production Heroku API keys can easily end up committed in your repository when a testing script gets accidentally pushed.

Heroku API key

heroku_auth = C7A8B9B3-2C9C-BECC-4C7B-613CB6C9BFF3 # test only
JS

Slack

Organizations who rely on Slack for collaboration and team communication can be easily disrupted by a breach. Our algorithms are sensitive to both web hooks and tokens used on the platform. Given all the potential integrations among Slack, AWS, and source control, the Security for Bitbucket algorithms can plug significant vulnerabilities by detecting access credentials for all three. 

Slack Webhook  

hook = "https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx"
PY

Slack Token  

token = "xoxo-523423-234243-234233-e039d02840a0b9379c"
PY
const tok = "xoxa-2-511111111-31111111111-3111111111111-e039d02840a0b9379c"
JS

Mailchimp

Security for Bitbucket Server identifies and intercepts commits that contain API keys for either Mailchimp or Mailgun.

API Keys  

MAILCHIMP_API_KEY = "a2937653ed38c31a43ea46e2b19257db-us2"
JS
# Using 343ea45721923ed956e2b38c31db76aa-us30 for this campaign
JS

Mailgun

API Key 

MAILGUN_API_KEY = "key-eg8f02fb71f9ee886e96588013241ca0"
JAVA

Private Keys (SSH, PGP, etc.)

Accidentally committing SSH private keys can leave critical production systems wide open to attackers. It's an easy mistake to make, as private and public keys are generated together and often reside in the same directory on a developer's machine. Security for Bitbucket scans for private keys in incoming commits and blocks the corresponding commits.

-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
BASH
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
BASH
-----BEGIN PGP PRIVATE KEY BLOCK-----
...
-----END PGP PRIVATE KEY BLOCK-----
BASH
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
BASH

PayPal Braintree

Access credentials for direct interaction with Fintech are a particular priority. Our algorithms detect and block Braintree access tokens used in PayPal and block any commit that contains them.

Braintree Access Token 

PAYPAL_BRAINTREE_ACCESS_TOKEN = "access_token$production$696htvk3y5xcfnsn$42cde001d7a240d98ded578b4c1321c9"
JAVA

Square

The Square API uses both personal and OAuth access tokens. Our application detects and blocks both.

Access Token

SQUARE_ACCESS_TOKEN = "sq0atp-ZHE5_L-3DJZ9Ti7iDEADBEEF"
JS

OAUTH Secret 

SQUARE_OAUTH_SECRET = "sq0csp-mE0eOD3rS7WsHFXSu2gU9DPumSr2r1AImSdjIkuyza8"
JS

Stripe

Stripe is often cited as the reference standard API for its structure and documentation. Given its wide use, there's an elevated likelihood that Stripe API keys are already embedded in your source deck or supporting files. Our application detects variations on the Strip API key format, and intercepts them before they can be committed to Bitbucket.

API Keys

STRIPE_API_KEY = "sk_live_ReTllpYQYfIZu2Jnf2lAPFjD"

stripe_creds = "rk_live_5TcWfjKmJgpql9hjpRnwRXbT"
JS

Twilio

Twilio is another API that's in wide use. The Security for Bitbucket algorithms can spot both its API keys and Account IDs, and prevent them from being pushed to your source code repository.

API Key

	TWILIO_API_KEY = "SKxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
JS

Account ID

	TWILIO_ACCOUNT_ID = "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
JS

URLs with embedded credentials

During testing, passwords can be directly embedded in URLs to facilitate fetching protected resources. These can then be inadvertently committed to your code repository.

Password in URL

response = urllib2.urlopen('https://username:password@myservice.com')
PY

Copyright © 2021 Soteri