Blog

Obtain secrets from different sources

Obtain secrets from storage buckets, static landing pages and other static content with examples

schedule a call

Public info: threat model

Storage buckets, static landing pages and other static content

can be enumerated, sometimes surprisingly so
ranges from .git and deploy scripts to secrets in static JS
can contain secrets that are only usable in the application context (e.g. session encryption keys)

Landings and static content: example

A landing page deployed automatically may contain this:

Buckets: examples

lots of “lists of shame”:

Third-party services

A list of examples ordered by frequency of exploitation:

File sharing solutions (the worst of them all)
Jira/Confluence/other knowledge bases
Backup solutions especially self-developed ones

Third-party services: what can happen

This:

Secure secrets management in Docker containers. Part 1

Secure secrets management in Docker containers from the offensive point of view. With examples and demo scripts. Read more

Secure secrets management in Docker containers. Part 2

Secure secrets management in Docker containers from the offensive point of view. Secrets in memory. Secrets in build arguments Read more

Bash/zsh scripts. Part 3

Secure secrets management in Docker containers from the offensive point of view. Secrets in bash/zsh scripts. Secrets in logs. Read more