keyhog-core 0.2.1

Core types, traits, and detector specs for the secret scanner
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# Docs: https://developers.formstack.com/reference/oauth-20-overview
# Format: OAuth2 access token (40+ alphanumeric characters)
# Verify: GET /v2/form.json with Bearer token returns 200 if valid
# Prefix: none (requires context anchoring)

[detector]
id = "formstack-api-credentials"
name = "Formstack API Credentials"
service = "formstack"
severity = "high"
keywords = ["formstack", "FORMSTACK_ACCESS_TOKEN", "formstack_api"]

[[detector.patterns]]
regex = "(?:formstack|FORMSTACK)[_.\\s]*(?:access[_\\s]*token|api[_\\s]*key|oauth[_\\s]*token)[\\s\"'']+([a-f0-9]{40,})"
description = "Formstack access token with context anchor"
group = 1

[[detector.patterns]]
regex = "(?:formstack|FORMSTACK)[_.\\s]*(?:client[_\\s]*id|CLIENT[_\\s]*ID)[\\s\"'']+([a-zA-Z0-9]{20,})"
description = "Formstack client ID with context anchor"
group = 1

[[detector.patterns]]
regex = "(?:formstack|FORMSTACK)[_.\\s]*(?:client[_\\s]*secret|CLIENT[_\\s]*SECRET)[\\s\"'']+([a-zA-Z0-9]{20,})"
description = "Formstack client secret with context anchor"
group = 1

[detector.verify]
method = "GET"
url = "https://www.formstack.com/api/v2/form.json"

[detector.verify.auth]
type = "bearer"
field = "match"

[detector.verify.success]
status = 200