Find private keys in HTTP responses

andresriancho / w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.

http://w3af.org/

4.58k stars 1.22k forks source link

Find private keys in HTTP responses #16684

Open andresriancho opened 6 years ago

andresriancho commented 6 years ago

Create a grep plugin that will find private keys in HTTP responses. I just found a private key with nikto and a little bit of luck :+1:

The key was un a format that matched: -----BEGIN RSA PRIVATE KEY-----

It would be nice to research the top 3 most common formats for storing keys, and identifying a way to match each of those.

This is a really easy task since the grep plugin only needs to match against a couple of strings and create a vuln if they match. Pull requests are welcome!

yvonneKim commented 6 years ago

Might try to resolve this.

andresriancho commented 6 years ago

PR sent here https://github.com/andresriancho/w3af/pull/17337 by @yvonneKim