keyhog-core 0.2.1

Core types, traits, and detector specs for the secret scanner
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Docs: https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html
# Format: Lambda function URL auth token in query string (?token=...)
# Verify: GET request to function URL with token returns 200 if valid
# Prefix: none (requires URL context)

[detector]
id = "aws-lambda-function-url-secret"
name = "AWS Lambda Function URL Secret"
service = "aws"
severity = "critical"
keywords = ["lambda-url", "lambda", "token"]

[[detector.patterns]]
regex = "https://[a-z0-9]{12,}\\.lambda-url\\.[a-z0-9-]+\\.on\\.aws/\\?.*token=([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL with auth token in query string"
group = 1

[[detector.patterns]]
regex = "https://[a-z0-9]{12,}\\.lambda-url\\.[a-z0-9-]+\\.on\\.aws/[a-zA-Z0-9_-]*\\?.*token=([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL with path and auth token"
group = 1

[[detector.patterns]]
regex = "(?:LAMBDA|lambda)[_\\-\\s]*(?:URL|url)[_\\-\\s]*(?:TOKEN|token)[=:\\s\"'\\']+([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL token with context anchor"
group = 1

[detector.verify]
method = "GET"
url = "{{match}}"

[detector.verify.auth]
type = "none"

[detector.verify.success]
status = 200