( Original text by BinaryEdge )
Deployment is something a lot of companies still struggle with. We talked about the issue with Kubernetes being deployed insecurely a few weeks ago in a blogpost and how the kubernetes pods are being hijacked to mine for cryptocurrency.
This week we look at something different but still related to deployments and exposing things to public that should not be.
One tweet from @svblxyz (whom we would also like to thank for all the help given to us on reviewing this post and giving tips on things to add) showed us an interesting google dork which made us wonder, what does this look like for IP adresses vs domain/services focused (as google search is).View image on Twitter
Don’t put your .env files in the web-server directory https://www.google.com/search?q=db_password+filetype%3Aenv …2,7829:15 PM — Sep 26, 20181,950 people are talking about thisTwitter Ads info and privacy
So we launched a scan using our distributed platform, as simple as:
> curl https://api.binaryedge.io/v1/tasks -d '{
"description": "HTTP Worldscan .env",
"type": "scan",
"options": [{
"targets": ["XXXX"],
"ports": [{
"modules": ["http"],
"port": "80",
"config": { "http_path": "/.env" }
}]
}]
}' -H 'X-Token:XXXXXX'
After this we started getting the results and of course multiple issues can be identified on these scans:
- Bad Deployments — The .ENV files being accessible is something that shouldn’t happen — there are companies exposing this type of file fully readable with no authentication.
- Weak credentials — Lots of services with a username/password combo using weak passwords.
Credentials and Tokens
Lots different types of Service Tokens were found:
- AWS — 38 tokens
- Mangopay — 9 tokens
- Stripe — 89 tokens
- Pusher — 1600 Tokens
Other tokens found include:
- PlugandPlay
- Paypal
- Mailchimp
- PhantomJS
- Mailgun
- JWT
- Shopify
- Nexmo.
- Bitly
- Braintree
- Twilio
- Recaptcha
- Ucloud
- Firebase
- Mandrill
- Slack
- Sentry.io
- Shopzcoin
Many of these systems involve financial records/ payments.
But we also found access configurations to Databases, which potentially contain customer data, such as:
- DB_PASSWORD keys: 1161
- REDIS_PASSWORD keys: 801
- MySQL credentials: 946 (username/password combos).
Looking at the passwords being used the top 3 we see they all consist of weak passwords:
1 — secret — 93
2 — root — 33
3 — adminadmin — 24
Other weak passwords found are:
- password
- test123
- foobar
When exposed tokens go super bad…
Laravel
Something that is also very dangerous is situations like the CVE-2018-15133 where if the APP_KEY is leaked for the Laravel app, allows an attacker to execute commands on the machine where the Laravel instance is running.
And our scan found: 300 APP_KEY Tokens related to Laravel.
One important note to be taken into account, we looked only at port 80 internet wide for our scan. The exposure on this can easily be much higher as other web apps will surely be exposing more .env files!