{"id":13642368,"url":"https://github.com/m4ll0k/SecretFinder","last_synced_at":"2025-04-20T16:31:59.354Z","repository":{"id":37695287,"uuid":"270631619","full_name":"m4ll0k/SecretFinder","owner":"m4ll0k","description":"SecretFinder - A python script for find sensitive data (apikeys, accesstoken,jwt,..) and search anything on javascript files ","archived":false,"fork":false,"pushed_at":"2024-05-26T09:36:41.000Z","size":34,"stargazers_count":2011,"open_issues_count":36,"forks_count":375,"subscribers_count":48,"default_branch":"master","last_synced_at":"2024-10-29T15:27:00.112Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/m4ll0k.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-08T10:50:12.000Z","updated_at":"2024-10-29T12:12:58.000Z","dependencies_parsed_at":"2023-01-31T19:01:24.701Z","dependency_job_id":"e6892642-f1b6-45d6-8103-63822e0e3f63","html_url":"https://github.com/m4ll0k/SecretFinder","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4ll0k%2FSecretFinder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4ll0k%2FSecretFinder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4ll0k%2FSecretFinder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/m4ll0k%2FSecretFinder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/m4ll0k","download_url":"https://codeload.github.com/m4ll0k/SecretFinder/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223832983,"owners_count":17210759,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:30.518Z","updated_at":"2024-11-09T13:31:33.710Z","avatar_url":"https://github.com/m4ll0k.png","language":"Python","funding_links":[],"categories":["Weapons","[](#table-of-contents) Table of contents","相关工具","Miscellaneous","Python","Web安全"],"sub_categories":["Tools","[](#source-code-analyzes)Source Code Analyzes","隐私相关领域法规/条例","Secrets"],"readme":"\n## about SecretFinder\n\nSecretFinder is a python script based on [LinkFinder](https://github.com/GerbenJavado/LinkFinder), written to discover sensitive data like apikeys, accesstoken, authorizations, jwt,..etc in JavaScript files. It does so by using jsbeautifier for python in combination with a fairly large regular expression. The regular expressions consists of four small regular expressions. These are responsible for finding and search anything on js files.\n\nThe output is given in HTML or plaintext.\n\n![main](https://i.imgur.com/D7MT2KL.png)\n\n\n\n## Help\n\n```\nusage: SecretFinder.py [-h] [-e] -i INPUT [-o OUTPUT] [-r REGEX] [-b]\n                       [-c COOKIE] [-g IGNORE] [-n ONLY] [-H HEADERS]\n                       [-p PROXY]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -e, --extract         Extract all javascript links located in a page and\n                        process it\n  -i INPUT, --input INPUT\n                        Input a: URL, file or folder\n  -o OUTPUT, --output OUTPUT\n                        Where to save the file, including file name. Default:\n                        output.html\n  -r REGEX, --regex REGEX\n                        RegEx for filtering purposes against found endpoint\n                        (e.g: ^/api/)\n  -b, --burp            Support burp exported file\n  -c COOKIE, --cookie COOKIE\n                        Add cookies for authenticated JS files\n  -g IGNORE, --ignore IGNORE\n                        Ignore js url, if it contain the provided string\n                        (string;string2..)\n  -n ONLY, --only ONLY  Process js url, if it contain the provided string\n                        (string;string2..)\n  -H HEADERS, --headers HEADERS\n                        Set headers (\"Name:Value\\nName:Value\")\n  -p PROXY, --proxy PROXY\n                        Set proxy (host:port)\n\n```\n\n## Installation\n\nSecretFinder supports Python 3.\n\n```\n$ git clone https://github.com/m4ll0k/SecretFinder.git secretfinder\n$ cd secretfinder\n$ python -m pip install -r requirements.txt or pip install -r requirements.txt\n$ python3 SecretFinder.py\n```\n\n## Usage\n\n- Most basic usage to find the sensitive data with default regex in an online JavaScript file and output the HTML results to results.html:\n\n`python3 SecretFinder.py -i https://example.com/1.js -o results.html`\n\n- CLI/STDOUT output (doesn't use jsbeautifier, which makes it very fast):\n\n`python3 SecretFinder.py -i https://example.com/1.js -o cli`\n\n- Analyzing an entire domain and its JS files:\n\n`python3 SecretFinder.py -i https://example.com/ -e`\n\n- Ignore certain js file (like external libs) provided by `-g --ignore`\n\n`python3 SecretFinder.py -i https://example.com/ -e -g 'jquery;bootstrap;api.google.com'`\n\n- Process only certain js file provided by `-n --only`:\n\n`python3 SecretFinder.py -i https://example.com/ -e -n 'd3i4yxtzktqr9n.cloudfront.net;www.myexternaljs.com'`\n\n- Use your regex:\n\n`python3 SecretFinder.py -i https://example.com/1.js -o cli -r 'apikey=my.api.key[a-zA-Z]+'`\n\n- Other options: add headers,proxy and cookies:\n\n``python3 SecretFinder.py -i https://example.com/ -e -o cli -c 'mysessionid=111234' -H 'x-header:value1\\nx-header2:value2' -p 127.0.0.1:8080 -r 'apikey=my.api.key[a-zA-Z]+'``\n\n- Input accept all this entries:\n\n - Url: e.g. https://www.google.com/ [-e] is required\n - Js url: e.g. https://www.google.com/1.js\n - Folder: e.g. myjsfiles/*\n - Local file: e.g /js/myjs/file.js\n\n\n\n\n## add Regex\n\n- Open `SecretFinder.py` and add your regex:\n\n```py\n_regex = {\n    'google_api'     : r'AIza[0-9A-Za-z-_]{35}',\n    'google_captcha' : r'6L[0-9A-Za-z-_]{38}|^6[0-9a-zA-Z_-]{39}$',\n    'google_oauth'   : r'ya29\\.[0-9A-Za-z\\-_]+',\n    'amazon_aws_access_key_id' : r'A[SK]IA[0-9A-Z]{16}',\n    'amazon_mws_auth_toke' : r'amzn\\\\.mws\\\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',\n    'amazon_aws_url' : r's3\\.amazonaws.com[/]+|[a-zA-Z0-9_-]*\\.s3\\.amazonaws.com',\n    'facebook_access_token' : r'EAACEdEose0cBA[0-9A-Za-z]+',\n    'authorization_basic' : r'basic\\s*[a-zA-Z0-9=:_\\+\\/-]+',\n    'authorization_bearer' : r'bearer\\s*[a-zA-Z0-9_\\-\\.=:_\\+\\/]+',\n    'authorization_api' : r'api[key|\\s*]+[a-zA-Z0-9_\\-]+',\n    'mailgun_api_key' : r'key-[0-9a-zA-Z]{32}',\n    'twilio_api_key' : r'SK[0-9a-fA-F]{32}',\n    'twilio_account_sid' : r'AC[a-zA-Z0-9_\\-]{32}',\n    'twilio_app_sid' : r'AP[a-zA-Z0-9_\\-]{32}',\n    'paypal_braintree_access_token' : r'access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}',\n    'square_oauth_secret' : r'sq0csp-[ 0-9A-Za-z\\-_]{43}|sq0[a-z]{3}-[0-9A-Za-z\\-_]{22,43}',\n    'square_access_token' : r'sqOatp-[0-9A-Za-z\\-_]{22}|EAAA[a-zA-Z0-9]{60}',\n    'stripe_standard_api' : r'sk_live_[0-9a-zA-Z]{24}',\n    'stripe_restricted_api' : r'rk_live_[0-9a-zA-Z]{24}',\n    'github_access_token' : r'[a-zA-Z0-9_-]*:[a-zA-Z0-9_\\-]+@github\\.com*',\n    'rsa_private_key' : r'-----BEGIN RSA PRIVATE KEY-----',\n    'ssh_dsa_private_key' : r'-----BEGIN DSA PRIVATE KEY-----',\n    'ssh_dc_private_key' : r'-----BEGIN EC PRIVATE KEY-----',\n    'pgp_private_block' : r'-----BEGIN PGP PRIVATE KEY BLOCK-----',\n    'json_web_token' : r'ey[A-Za-z0-9-_=]+\\.[A-Za-z0-9-_=]+\\.?[A-Za-z0-9-_.+/=]*$',\n\n    'name_for_my_regex' : r'my_regex',\n    # for example\n    'example_api_key'    : r'^example\\w+{10,50}'\n}\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm4ll0k%2FSecretFinder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fm4ll0k%2FSecretFinder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fm4ll0k%2FSecretFinder/lists"}