:example_env: ENV_VAR_NAME :example_name: java-property-name :example_secret: example_secret_value // Set value that can be used to refer to the type of secret in, for example: // "An attacker can use this {secret_type} to ..." // Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password :secret_type: secret include::../../../shared_content/secrets/description.adoc[] == Why is this an issue? include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? // Optional: Give a general description of the secret and what it's used for. include::../../../shared_content/secrets/impact/generic_impact.adoc[] // Uncomment the following line, if specifying detailed impacts from below: // include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[] // Secret may allow hosting arbitrary files // include::../../../shared_content/secrets/impact/malware_distribution.adoc[] // Secret may allow accessing or compromising sensitive data // include::../../../shared_content/secrets/impact/data_compromise.adoc[] // Secret may allow uploading artifacts to services used elsewhere in the supply chain // This is specific for code and artifact repositories // include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] // Secret may be used to trigger workflows // This is webhook-specific // include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[] // OAuth tokens may allow accessing 3rd party services // include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[] // Mailing service compromise may allow sending spam, which may result in account termination // include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[] // Sensitive information leak / identity impersonation, e.g., through leaked signing secret // include::../../../shared_content/secrets/impact/security_downgrade.adoc[] // Audit trail discrepancies // include::../../../shared_content/secrets/impact/non_repudiation.adoc[] // Package repository secrets may allow access to source code etc. // include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] // Spamming automated calls may cause large bills and rate limited service access // include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] // For blockchain specific tokens // include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[] // Specific for banking / financial transaction tokens, causing financial loss // include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[] // Secret can be used to send spam or phish users // include::../../../shared_content/secrets/impact/phishing.adoc[] // Secret may allow modifying application data (object stores etc.) // include::../../../shared_content/secrets/impact/data_modification.adoc[] // Specific to services that are used to share PII (personal infos, chat logs, ..) // include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] // Secret may allow accessing financial data, like CC information or confidential financial reports // include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[] // Secret may allow occurring financial losses through 3rd party API usage // include::../../../shared_content/secrets/impact/financial_loss.adoc[] // Secret may be used to modify dashboards to corrupt shown data // Requires setting service_name variable // :service_name: secret service // include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[] // Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc. // Requires setting service_name variable // :service_name: secret service // include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] == How to fix it // 1. Revoke leaked secrets include::../../../shared_content/secrets/fix/revoke.adoc[] // 2. Analyze recent use to identify misuse include::../../../shared_content/secrets/fix/recent_use.adoc[] // 3. Use a secret vault in the future include::../../../shared_content/secrets/fix/vault.adoc[] // 4. Never hard-code secrets include::../../../shared_content/secrets/fix/default.adoc[] // OAuth PKCE is very specific to OAuth 2.0 // include::../../../shared_content/secrets/fix/oauth_pkce.adoc[] === Code examples include::../../../shared_content/secrets/examples.adoc[] //=== How does this work? //=== Pitfalls //=== Going the extra mile == Resources include::../../../shared_content/secrets/resources/standards.adoc[] //=== Benchmarks