This is a repo full of mistakes. I will include several of the secrets I've seen commonly leaking from real projects. It will be useful for testing scanning tools such as github-dorks and truffleHog.
It's worth noting that none of the secrets here are real. They are all things I've seen before, but I've randomized or redacted all of the actual data. The vast majority of secrets will likely be taken from patterns created for github-dorks, which are primarily taken from config files for popular services. I've also worked on several scanning tools in the past. Most notably, github-dorks, PasteHunter, github-dorks, as well as GHScraper, and several other non-public or unreleased scanners. Essentially, I've seen a lot of whoopsies on git, which will also be included.
This repo was made to serve as a benchmark for secrets scanners. Repo scanning tools have varying levels of coverage, and so far the go-to option has been "slam a bunch together". This repo is also partially to test my theory that this technique still isn't really sufficient. Regardless, you can't just scan for high entropy, and you can't just scan for patterns, you need to do both!
I've written a blog post on Why We Fail at Keeping Git Secrets. If you truly want to keep your secrets safe, seperate them from your repo. If that's a config file, that's fine. If it's a secrets management/storage system, that's even better. As long as you can stop git from adding that information by default, you're unlikely to hit any problems.
| Filename | Description |
|---|---|
| .npmrc | NPM registry authentication data |
| .dockercfg | Docker registry authentication data |
| cert-key.pem | PEM Private key |
| extension:ppk private | PuTTYgen private key |
| .ssh/id_rsa | Private ssh key |
| db/dump.sql | MySQL dump w/ bcrypt hashes |
| cloud/.credentials | S3 Credentials file |
| cloud/.s3cfg | S3 Credentials file |
| cloud/.tugboat | Digital Ocean tugboat config |
| web/var/www/public_html/wp-config.php | WordPress config file |
| web/var/www/public_html/.htpasswd | htpasswd file |
| web/var/www/.env | Laravel .env (CI, various ruby based frameworks too) |
| .git-credentials | Git credentials store |
| .bashrc | .bashrc file (contains several secrets as environment variables) |
| .bash_profile | .bash_profile file (contains several secrets as environment variables) |
| db/robomongo.json | Mongolab credentials for robomongo |
| web/js/salesforce.js | Salesforce credentials in a nodejs project |
| .netrc | netrc with SMTP credentials |
| hub | Hub config that stores github tokens |
| filezilla/filezilla.xml | Filezilla config file |
| filezilla/recentservers.xml | Filezilla recent servers file |
| .docker/config.json | Docker registry authentication file |
| config | IRC config |
| db/.pgpass | PostgreSQL file which contains passwords |
| /proftpdpasswd | Usernames and passwords of proftpd created by cpanel |
| ventrilo_srv.ini | Ventrilo configuration |
| web/var/www/public_html/config.php | PHP application config file |
| etc/shadow | Linux /etc/shadow file |
| db/dbeaver-data-sources.xml | DBeaver config containing MySQL Credentials |
| /.esmtprc | esmtp configuration |
| .mozilla/firefox/logins.json | Firefox saved password collection (can be decrypted using keys4.db) |
| web/django/settings.py | Django setup.py, contains valid secret key |
| web/ruby/secrets.yml | Ruby on rails secrets.yml file (contains passwords) |
| ruby/config/master.key | Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+) |
| deployment-config.json | Created by sftp-deployment for Atom, contains server details and credentials |
| .ftpconfig | Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials |
| .remote-sync.json | Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials |
| .vscode/sftp.json | Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentials |
| sftp-config.json | Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials |
| .idea/WebServers.xml | Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!) |
| high-entropy-misc.txt | Misc high entropy strings (HES1 is plain, HES2 is base64) |
Got a question? Found something worth adding? [File an issue](https://!