vincentcox / StaCoAn

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.
MIT License
827 stars 129 forks source link

Adding more regex to find sensitive data #67

Open narayan8291 opened 6 years ago

narayan8291 commented 6 years ago

Consider adding these regular expressions which are not part of the list,

  1. .([a-zA-Z0-9]-[a-zA-Z0-9]){3,10}. => To find salts, nonce used in code.
  2. ([-]+(BEGIN\sRSA\sPRIVATE\sKEY)[-]+[A-Za-z\s0-9+/.=]{400}) => RSA Private keys
  3. (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]) => AWS Secret Keys
  4. [0-9a-f]{32} => FB Secret Keys
  5. ((xoxp)-[0-9]+-[A-Za-z0-9]+) => Slack Tokens

This list can also be extended to Twitter Keys, Tumblr keys.

vincentcox commented 6 years ago

Thanks for the regex's, I will try to add them as soon as possible. I need to perform some tests on them first.

vincentcox commented 6 years ago
  1. About the salts, I think they can be longer than 10 characters?
  2. Regex seems to work: https://regex101.com/r/xXPGNa/2
  3. Reges seems to work: https://regex101.com/r/CD4fbR/1 (ToDo: Test on APK's before deploying because it can trigger false positives)*
  4. (ToDo: Test on APK's before deploying because it can trigger false positives)*
  5. (ToDo: Test on APK's before deploying because it can trigger false positives)*

*: I will do this asap