Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Black Lantern Security introduces Badsecrets, an open source tool for identifying known or weak cryptographic secrets across multiple platforms.

Cybersecurity company Black Lantern this week announced Badsecrets, an open source tool that can help identify known or weak cryptographic secrets across many web frameworks.

This pure Python library has a modular design and is currently offering ten modules, which are meant to be replacements of existing tools for finding known secrets.

In fact, Badsecrets itself is inspired by Blacklist3r, a NotSoSecure project for gathering secret keys related to publicly available web frameworks and auditing applications that might be using these pre-published keys.

The goal of Badsecrets, however, is to “expand on the supported platforms and remove language and operating system dependencies”.

The modules currently available with the library support scanning for Flask cookie signing passwords, bad/weak signing passwords in Peoplesoft PS_TOKEN, ASP.NET machine keys, and secret keys in Telerik UI, Django’s session cookies, Ruby on Rails signed or encrypted session cookies, JSON Web Token, Mojarra and Myfaces implementations of Java Server Faces (JSF), and Symfony ‘_fragment’ URLs.

“Knowing when a ‘bad secret’ was used is usually a matter of examining some cryptographic product in which the secret was used: for example, a cookie which is signed with a keyed hashing algorithm. Things can get complicated when you dive into the individual implementation oddities each platform provides, which this library aims to alleviate,” Black Lantern notes.

Badsecrets, the cybersecurity firm notes, was designed to identify known secrets that could be exploited for remote code execution (RCE) or privilege escalation, but does not help address these issues.

“It will help you find them, but you are generally on your own from there. Sometimes exploitation will be very straightforward, and in other cases it might require a lot of follow-on work or chaining with other vulnerabilities,” Black Lantern explains.

Advertisement. Scroll to continue reading.

However, there is currently no plan to change this aspect of Badsecrets, as that could lead to its abuse for the exploitation of identified misconfigurations.

Black Lantern hopes that the community will adopt Badsecrets as the standard for identifying such vulnerabilities and that contributions will help grow the available modules, to cover additional web frameworks and utilities.

Related: GitHub Secret Scanning Now Generally Available

Related: ‘Secrets Sprawl’ Haunts Software Supply Chain Security

Related: Thousands of Secret Keys Found in Leaked Samsung Source Code

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Ketan Tailor has joined Barracuda Networks as Chief Customer Officer.

Axonius has appointed former Disney CISO Ryan Knisley as its Chief Product Strategist.

Application security firm Checkmarx has appointed Jonathan Rende as its Chief Product Officer (CPO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.