Connect with us

Hi, what are you looking for?


Application Security

‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Black Lantern Security introduces Badsecrets, an open source tool for identifying known or weak cryptographic secrets across multiple platforms.

Cybersecurity company Black Lantern this week announced Badsecrets, an open source tool that can help identify known or weak cryptographic secrets across many web frameworks.

This pure Python library has a modular design and is currently offering ten modules, which are meant to be replacements of existing tools for finding known secrets.

In fact, Badsecrets itself is inspired by Blacklist3r, a NotSoSecure project for gathering secret keys related to publicly available web frameworks and auditing applications that might be using these pre-published keys.

The goal of Badsecrets, however, is to “expand on the supported platforms and remove language and operating system dependencies”.

The modules currently available with the library support scanning for Flask cookie signing passwords, bad/weak signing passwords in Peoplesoft PS_TOKEN, ASP.NET machine keys, and secret keys in Telerik UI, Django’s session cookies, Ruby on Rails signed or encrypted session cookies, JSON Web Token, Mojarra and Myfaces implementations of Java Server Faces (JSF), and Symfony ‘_fragment’ URLs.

“Knowing when a ‘bad secret’ was used is usually a matter of examining some cryptographic product in which the secret was used: for example, a cookie which is signed with a keyed hashing algorithm. Things can get complicated when you dive into the individual implementation oddities each platform provides, which this library aims to alleviate,” Black Lantern notes.

Badsecrets, the cybersecurity firm notes, was designed to identify known secrets that could be exploited for remote code execution (RCE) or privilege escalation, but does not help address these issues.

Advertisement. Scroll to continue reading.

“It will help you find them, but you are generally on your own from there. Sometimes exploitation will be very straightforward, and in other cases it might require a lot of follow-on work or chaining with other vulnerabilities,” Black Lantern explains.

However, there is currently no plan to change this aspect of Badsecrets, as that could lead to its abuse for the exploitation of identified misconfigurations.

Black Lantern hopes that the community will adopt Badsecrets as the standard for identifying such vulnerabilities and that contributions will help grow the available modules, to cover additional web frameworks and utilities.

Related: GitHub Secret Scanning Now Generally Available

Related: ‘Secrets Sprawl’ Haunts Software Supply Chain Security

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.