---
name: pentest-secrets-exposure
description: Discover hardcoded credentials, leaked API keys, exposed configuration files, sensitive data in artifacts, and information disclosure via error handling.
---

# Pentest Secrets Exposure

## Purpose
Spans multiple unchecked WSTG categories — CONF-03/04 (sensitive files, backups), INFO-05 (info leakage), ERRH-01/02 (error handling, stack traces). Shannon's pre-recon focuses on architecture, not systematic secrets discovery.

## Prerequisites

### Authorization Requirements
- **Written authorization** with source code access scope (if white-box)
- **Git repository access** for history mining (if applicable)
- **Target URL list** for exposed file probing

### Environment Setup
- TruffleHog for git history secret scanning
- GitLeaks for pattern-based secret detection
- Semgrep with secrets ruleset
- nuclei with exposure templates

## Core Workflow
1. **Source Code Secrets**: Scan for hardcoded API keys, DB credentials, JWT signing keys, encryption keys using pattern + entropy detection.
2. **Git History Mining**: Search all commits for secrets added then removed. Check force-pushed branches. Analyze .gitignore for sensitive patterns.
3. **Exposed Config Files**: Probe for .env, .git/config, .DS_Store, wp-config.php, application.yml, docker-compose.yml with credentials (WSTG-CONF-03/04).
4. **Error Handling Disclosure**: Trigger stack traces, debug pages, verbose errors revealing internal paths, DB schemas, framework versions (WSTG-ERRH-01/02).
5. **Backup & Unreferenced Files**: .bak, .old, .swp, ~files, editor temp files, DB dumps, log files with sensitive data.
6. **Client-Side Bundle Analysis**: Extract API keys from JS bundles, source maps exposing server code, hardcoded tokens in mobile packages.
7. **Secret Validation**: Test each discovered credential for active access, document scope, assess blast radius.

## WSTG Coverage

| WSTG ID | Test Name | Status |
|---------|-----------|--------|
| WSTG-CONF-03 | Test File Extensions Handling for Sensitive Info | ✅ |
| WSTG-CONF-04 | Review Old Backup and Unreferenced Files | ✅ |
| WSTG-INFO-05 | Review Webpage Content for Information Leakage | ✅ |
| WSTG-ERRH-01 | Test Improper Error Handling | ✅ |
| WSTG-ERRH-02 | Test Stack Traces | ✅ |

## Tool Categories

| Category | Tools | Purpose |
|----------|-------|---------|
| Git Scanning | TruffleHog, GitLeaks | Secret detection in git history |
| Static Analysis | Semgrep (secrets rules), grep patterns | Source code secret scanning |
| Web Probing | nuclei (exposure templates), ffuf | Exposed file/config discovery |
| JS Analysis | SecretFinder, LinkFinder | Client-side bundle secret extraction |
| Validation | curl, custom scripts | Credential active-access testing |

## References
- `references/tools.md` - Tool function signatures and parameters
- `references/workflows.md` - Attack pattern definitions and test vectors