Meet TruffleHog – a browser extension for finding secret keys in JavaScript code

Charlie Osborne September 24, 2021 at 14:45 UTC

Updated: September 24, 2021 at 14:57 UTC

API keys are accidentally leaked by websites. Here’s how to find them

A new Chrome browser extension has been released to help bounty hunters find keys that have made their way into JavaScript online.

The open source extension, now available on GitHub, is called TruffleHog and is the work of Truffle Security.

Cybersecurity firm co-founder Dylan Ayrey said in a September 19 blog post that API keys for Software as a Service (SaaS) and cloud providers often find their way in JavaScript, and the company is therefore “proud” to offer a Chrome extension capable of finding them.

In a video describing the extension, Mike Ruth, infrastructure security engineer at Bex, said such keys could be used to “access something we shouldn’t”.

Ayrey was able to find one of those secrets – an AWS key that was buried in the code on the front page of, a domain that has received over 740 million visitors in the past six months.

Mix of truffles

The original TruffleHog tool was originally released in 2017 as a git repository scanner.

However, he proved controversial after being used by a member of the drone hacking community to discover leaks in the corporate GitHub repository of drone developer DJI.

Learn about the latest open source hacking tools

The developer allegedly responsible for the accidental leaks has been fined and jailed by the Chinese government.

This time Ayrey said The daily sip that he worked with HackerOne and a few selected researchers in an early beta to clean up the “fruits at hand” ahead of public release, and the extension was motivated by the need to examine sharing security vulnerabilities cross-origin resources (CORS) – an area the researcher says “has not been explored much”.

Flip the script

According to Ayrey, many SaaS applications today are designed to “encourage front-end applications to contain keys in their JavaScript.”

Many are not crashes, or “observable blocks of text,” the developer says, but are in fact actively used by JavaScript on a page when APIs allow CORS.

Some APIs may have permissive CORS settings, encouraging websites to make requests to an API – such as AWS – but since they are authenticated, a common method used by website owners is to use JavaScript that holds the information. identification required.

ADVISED HAProxy vulnerability allows HTTP request smuggling attacks

“Because multiple front-end applications often consume the same main API, unfortunately many internal applications get scopes with permissive CORS settings,” Ayrey commented.

“Unfortunately, CORS issues can often cascade and lead to multiple points of failure compromising the integrity of keys on internal applications. ”

This can result in a foreign origin capable of making requests to internal applications and APIs – and, potentially, becoming an avenue for key theft. TruffleHog will search for these keys, which could then be reported to vendors for bug bounties.

Additionally, the software is capable of detecting .git repositories and exposed and associated .env files that may contain credentials and scan backends for them, the developer said. A check has also been included for the environment variable scripts.

There are however limits to the extension. Ayrey says that currently, the extension reads entire document trees, parses all JavaScript links, and fetches static assets twice for analysis, which can impact performance levels. There is also no caching.

The extension is currently undergoing a security audit by Google for the Chrome Store and can therefore only be loaded laterally.

YOU MAY ALSO LIKE Raider: A tool for testing authentication in web applications

Source link

Comments are closed.