diff --git a/data/rules/azuredevops.yml b/data/rules/azuredevops.yml index 2597a77..4188999 100644 --- a/data/rules/azuredevops.yml +++ b/data/rules/azuredevops.yml @@ -13,7 +13,7 @@ rules: min_entropy: 3 confidence: medium examples: - - azure devops pat = FBdFol081crwkIHWJH2yiqDDyrFjVSi7HWl22hN2hTYfsB8NlGDpJQQJ77BAACAAAAAAAAAAAAASAZDOBucT + - azure devops pat = FBdFol081crwkIHWJH2yiqDDyrFjVSi7HWl22hN2hTYfsB8NlGDpJQQJ77BAACAAAAAAAAAAAAASAZDOBucTj references: - https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.1&tabs=HTTP - https://learn.microsoft.com/en-us/azure/devops/release-notes/2024/general/sprint-241-update diff --git a/data/rules/fileio.yml b/data/rules/fileio.yml index c6413a1..6bdd8dd 100644 --- a/data/rules/fileio.yml +++ b/data/rules/fileio.yml @@ -10,9 +10,8 @@ rules: (?:.|[\n\r]){0,16}? \b ( - [A-Z0-9]{16} - (?:\.[A-Z0-9]{7}){2} - \.[A-Z0-9]{8} + [A-Z0-9]{20} + \.[A-Z0-9]{20} ) \b min_entropy: 3.3 diff --git a/data/rules/frame.io.yml b/data/rules/frame.io.yml index 8b3b562..a5ef94b 100644 --- a/data/rules/frame.io.yml +++ b/data/rules/frame.io.yml @@ -12,7 +12,6 @@ rules: confidence: medium examples: - fio-u-TaWoPIBovaGCbBkUtGPKWS0D3cu254VA33IFCCrtwl8J2Dtq2pMJ9MvNHmNoL2XX - - ffio-u-TaWoPIBovaGCbBkUtGPKWS0D3cu254VA33IFCCrtwl8J2Dtq2pMJ9MvNHmNoL2XX references: - https://developer.frame.io/api/reference/operation/getMe/ validation: diff --git a/data/rules/intercom.yml b/data/rules/intercom.yml index 8c16153..0c75e33 100644 --- a/data/rules/intercom.yml +++ b/data/rules/intercom.yml @@ -2,9 +2,9 @@ rules: - name: Intercom API Token id: kingfisher.intercom.1 pattern: | - (?xi) - (?:^|[\s"'=]) + (?xi) (?:intercom(?:_access)?|ic) + (?:.|[\n\r]){0,16}? (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) (?:.|[\n\r]){0,16}? ( diff --git a/data/rules/linear.yml b/data/rules/linear.yml index da4330b..9adf6e8 100644 --- a/data/rules/linear.yml +++ b/data/rules/linear.yml @@ -29,7 +29,7 @@ rules: { "query": "query { issues(first: 1) { nodes { id } } }" } - url: https://api.linear.app/graphql + url: https://api.linear.app/graphql response_matcher: - report_response: true - type: StatusMatch diff --git a/data/rules/mandrill.yml b/data/rules/mandrill.yml new file mode 100644 index 0000000..4f0228c --- /dev/null +++ b/data/rules/mandrill.yml @@ -0,0 +1,38 @@ +rules: + - name: Mandrill API Key + id: kingfisher.mandrill.1 + pattern: | + (?x) + (?i) + \b + mandrill + (?:.|[\n\r]){0,32}? + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + \b + ( + (?:[0-9A-Za-z_-]{11}){2} + ) + min_entropy: 3.5 + confidence: medium + examples: + - mandrill_token = taqnVL1P5AJrM4oU4opSqQ + categories: + - api + - identifier + validation: + type: Http + content: + request: + method: POST + headers: + Content-Type: application/json + body: | + { "key": "{{ TOKEN }}" } + url: https://mandrillapp.com/api/1.0/users/ping.json + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: ['"PONG!"'] \ No newline at end of file diff --git a/data/rules/mapbox.yml b/data/rules/mapbox.yml new file mode 100644 index 0000000..d29ffdf --- /dev/null +++ b/data/rules/mapbox.yml @@ -0,0 +1,74 @@ +rules: + - name: Mapbox Public Access Token + id: kingfisher.mapbox.1 + pattern: '(?i)(?s)mapbox.{0,30}(pk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)' + min_entropy: 3.3 + confidence: medium + examples: + - | + mapboxApiKey: + 'pk.eyJ1Ijoia3Jpc3R3IiwiYSI6ImNqbGg1N242NTFlczczdnBcf99iMjgzZ2sifQ.lUneM-o3NucXN189EYyXxQ' + references: + - https://docs.mapbox.com/api/accounts/tokens/#token-format + - https://docs.mapbox.com/help/getting-started/access-tokens/ + - https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely + validation: + type: Http + content: + request: + method: GET + # smallest public-data endpoint: returns JSON style definition + url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + + - name: Mapbox Secret Access Token + id: kingfisher.mapbox.2 + pattern: '(?i)(?s)mapbox.{0,30}(sk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)' + min_entropy: 3.3 + confidence: medium + examples: + - " //mapboxgl.accessToken = 'sk.eyJ1Ijoic2hlbmdsaWgiLCJhIjCf99ttaWF5bDBsMGNlaDJubGZyMGUwZXNmaCJ9.eI8KXNm5zKZXOKh0c8u9vg';" + - 'export MAPBOX_SECRET_TOKEN=sk.eyJ1IjoiY2FwcGVsYWVyZSIsImEicf99c1BaTkZnIn0.P4lD1eHeSEx7AsBq1zbJ4g' + references: + - https://docs.mapbox.com/api/accounts/tokens/#token-format + - https://docs.mapbox.com/help/getting-started/access-tokens/ + - https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely + validation: + type: Http + content: + request: + method: GET + url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid + + - name: Mapbox Temporary Access Token + id: kingfisher.mapbox.3 + pattern: '(?i)(?s)mapbox.{0,30}(tk\.[a-z0-9\-+/=]{32,128}\.[a-z0-9\-+/=]{20,30})(?:[^a-z0-9\-+/=]|$)' + min_entropy: 3.3 + confidence: medium + examples: + - " //mapboxgl.accessToken = 'tk.eyJ1Ijoic2hlbmdsaWgiLCJhIjCf99ttaWF5bDBsMGNlaDJubGZyMGUwZXNmaCJ9.eI8KXNm5zKZXOKh0c8u9vg';" + - 'export MAPBOX_TEMP_TOKEN=tk.eyJ1IjoiY2FwcGVsYWVyZSIsImEicf99c1BaTkZnIn0.P4lD1eHeSEx7AsBq1zbJ4g' + references: + - https://docs.mapbox.com/api/accounts/tokens/#token-format + - https://docs.mapbox.com/help/getting-started/access-tokens/ + - https://docs.mapbox.com/help/troubleshooting/how-to-use-mapbox-securely + validation: + type: Http + content: + request: + method: GET + url: https://api.mapbox.com/styles/v1/mapbox/streets-v11?access_token={{ TOKEN }} + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: JsonValid diff --git a/data/rules/microsoft_teams.yml b/data/rules/microsoft_teams.yml new file mode 100644 index 0000000..13cc044 --- /dev/null +++ b/data/rules/microsoft_teams.yml @@ -0,0 +1,52 @@ +rules: + - name: Microsoft Teams Webhook + id: kingfisher.msteams.1 + pattern: | + (?xi) + ( + https:// + outlook\.office\.com/webhook/ + [0-9a-f]{8}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{12} + @ + [0-9a-f]{8}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{12} + /IncomingWebhook/ + [0-9a-f]{32} + / + [0-9a-f]{8}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{4}- + [0-9a-f]{12} + ) + min_entropy: 3.3 + confidence: medium + examples: + - 'https://outlook.office.com/webhook/9da5da9c-4218-4c22-aed6-b5c8baebfff5@2f2b54b7-0141-4ba7-8fcd-ab7d17a60547/IncomingWebhook/1bf66ccbb8e745e791fa6e6de0cf465b/4361420b-8fde-48eb-b62a-0e34fec63f5c' + - 'https://outlook.office.com/webhook/fa4983ab-49ea-4c1b-9297-2658ea56164c@f784fbed-7fc7-4c7a-aae9-d2f387b67c5d/IncomingWebhook/4d2b3a16113d47b080b7a083b5a5e533/74f315eb-1dde-4731-b6b5-2524b77f2acd' + - 'https://outlook.office.com/webhook/555aa7fc-ea71-4fb7-ae9e-755caa4404ed@72f988bf-86f1-41af-91ab-2d7cd011db47/IncomingWebhook/16085df23e564bb9076842605ede3af2/51dab674-ad95-4f0a-8964-8bdefc25b6d9' + - 'https://outlook.office.com/webhook/2f92c502-7feb-4a6c-86f1-477271ae576f@990414fa-d0a3-42f5-b740-21d865a44a28/IncomingWebhook/54e43eb586f14aa9984d5c0bec3d5050/539ce6fa-e9aa-413f-a79b-fb7e8998fcac' + validation: + type: Http + content: + request: + method: POST + url: '{{ TOKEN }}' + headers: + Content-Type: application/json + body: '{"text":""}' + response_matcher: + - report_response: true + - type: StatusMatch + status: + - 400 + - type: WordMatch + words: + - 'Text is required' \ No newline at end of file diff --git a/data/rules/microsoftteamswebhook.yml b/data/rules/microsoftteamswebhook.yml new file mode 100644 index 0000000..3fc349c --- /dev/null +++ b/data/rules/microsoftteamswebhook.yml @@ -0,0 +1,38 @@ +rules: + - name: Microsoft Teams Webhook + id: kingfisher.microsoftteamswebhook.1 + pattern: | + (?x) + https://[a-zA-Z0-9]+\.webhook\.office\.com/webhookb2 + / + [a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12} + @ + [a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12} + / + IncomingWebhook + / + [a-zA-Z0-9]{32} + / + [a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12} + min_entropy: 3.3 + confidence: medium + examples: + - "https://contoso.webhook.office.com/webhookb2/12345678-abcd-1234-efgh-56789abcdef0@12345678-abcd-1234-efgh-56789abcdef0/IncomingWebhook/abcdefgh12345678abcdefgh12345678/12345678-abcd-1234-efgh-56789abcdef0" + validation: + type: Http + content: + request: + body: | + {'text':''} + headers: + Content-Type: application/json + method: POST + response_matcher: + - type: StatusMatch + status: + - 200 + - report_response: true + type: WordMatch + words: + - "Text is required" + url: '{{ TOKEN }}' \ No newline at end of file diff --git a/data/rules/stripe.yml b/data/rules/stripe.yml new file mode 100644 index 0000000..92a9d2e --- /dev/null +++ b/data/rules/stripe.yml @@ -0,0 +1,60 @@ +rules: + - name: Stripe Publishable Key + id: kingfisher.stripe.1 + + pattern: | + (?xi) + (?:stripe|strp) + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + ( + pk_live_ + (?:[0-9A-Za-z]{6}){4,30} + ) + (?=$|[\s"']) + min_entropy: 3.3 + confidence: medium + categories: [api, key] + examples: + - stripe_pub_key = pk_live_HQS0j4H75XpthOW87eY1sXa2BYz3Ab + + - name: Stripe Secret / Restricted Key + id: kingfisher.stripe.2 + + pattern: | + (?ix) + (?:^|[\s"'=]) + (?:stripe|strp) + (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN) + (?:.|[\n\r]){0,32}? + ( + (?: + sk|rk + )_live_ + (?:[0-9A-Za-z]{8}){3,25} + ) + (?=$|[\s"']) + + min_entropy: 3.3 + confidence: medium + categories: [api, key] + examples: + - stripe_secret_key = sk_live_f01c79xuuug7yodgzj5ws0h1x2kyvho3 + - "strp_sec_key: rk_live_4haG9YwGkL2hXqTj5pSzo8FzB3uCwE7n" + + validation: + type: Http + content: + request: + method: GET + headers: + Authorization: Bearer {{ TOKEN }} + Accept: application/json + url: https://api.stripe.com/v1/account + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + match_all_words: true + words: ['"object":"account"'] diff --git a/data/rules/tailscale.yml b/data/rules/tailscale.yml index 4e442c8..8ac7e50 100644 --- a/data/rules/tailscale.yml +++ b/data/rules/tailscale.yml @@ -12,8 +12,8 @@ rules: min_entropy: 3.0 confidence: medium examples: - - tskey-secret-12345678-abcd - - tskey-api-abcdefg-123456789 + - tskey-secret-12345678-abcdefghijkl + - tskey-api-abcdefg-1234567890123 references: - https://tailscale.com/kb/1215/oauth-clients validation: