bitbucket-oauth-exposure: Bitbucket OAuth Credentials Exposure

日期: 2025-08-01 | 影响软件: Bitbucket OAuth | POC: 已公开

漏洞描述

Detects exposed auth.json files containing Bitbucket OAuth credentials

PoC代码[已公开]

id: bitbucket-oauth-exposure

info:
  name: Bitbucket OAuth Credentials Exposure
  author: TheZakMan
  severity: high
  description: Detects exposed auth.json files containing Bitbucket OAuth credentials
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-200
  tags: exposure,bitbucket,oauth,credentials,misconfig,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/auth.json"
      - "{{BaseURL}}/.auth.json"
      - "{{BaseURL}}/config/auth.json"
      - "{{BaseURL}}/configs/auth.json"
      - "{{BaseURL}}/configuration/auth.json"
      - "{{BaseURL}}/api/auth.json"
      - "{{BaseURL}}/app/auth.json"
      - "{{BaseURL}}/assets/auth.json"
      - "{{BaseURL}}/data/auth.json"
      - "{{BaseURL}}/files/auth.json"
      - "{{BaseURL}}/public/auth.json"
      - "{{BaseURL}}/static/auth.json"
      - "{{BaseURL}}/uploads/auth.json"
      - "{{BaseURL}}/backup/auth.json"
      - "{{BaseURL}}/backups/auth.json"
      - "{{BaseURL}}/tmp/auth.json"
      - "{{BaseURL}}/temp/auth.json"
      - "{{BaseURL}}/cache/auth.json"
      - "{{BaseURL}}/logs/auth.json"
      - "{{BaseURL}}/admin/auth.json"
      - "{{BaseURL}}/administrator/auth.json"
      - "{{BaseURL}}/src/auth.json"
      - "{{BaseURL}}/source/auth.json"
      - "{{BaseURL}}/www/auth.json"
      - "{{BaseURL}}/web/auth.json"
      - "{{BaseURL}}/site/auth.json"
      - "{{BaseURL}}/sites/auth.json"
      - "{{BaseURL}}/private/auth.json"
      - "{{BaseURL}}/secure/auth.json"
      - "{{BaseURL}}/secret/auth.json"
      - "{{BaseURL}}/secrets/auth.json"
      - "{{BaseURL}}/env/auth.json"
      - "{{BaseURL}}/environment/auth.json"
      - "{{BaseURL}}/test/auth.json"
      - "{{BaseURL}}/tests/auth.json"
      - "{{BaseURL}}/dev/auth.json"
      - "{{BaseURL}}/development/auth.json"
      - "{{BaseURL}}/staging/auth.json"
      - "{{BaseURL}}/prod/auth.json"
      - "{{BaseURL}}/production/auth.json"
      - "{{BaseURL}}/includes/auth.json"
      - "{{BaseURL}}/include/auth.json"
      - "{{BaseURL}}/lib/auth.json"
      - "{{BaseURL}}/libs/auth.json"
      - "{{BaseURL}}/library/auth.json"
      - "{{BaseURL}}/vendor/auth.json"
      - "{{BaseURL}}/vendors/auth.json"
      - "{{BaseURL}}/node_modules/auth.json"
      - "{{BaseURL}}/storage/auth.json"
      - "{{BaseURL}}/database/auth.json"
      - "{{BaseURL}}/db/auth.json"
      - "{{BaseURL}}/auth/auth.json"
      - "{{BaseURL}}/authentication/auth.json"
      - "{{BaseURL}}/oauth/auth.json"
      - "{{BaseURL}}/keys/auth.json"
      - "{{BaseURL}}/credentials/auth.json"
      - "{{BaseURL}}/creds/auth.json"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "bitbucket-oauth"
          - "bitbucket"
        condition: or
        case-insensitive: true

      - type: regex
        regex:
          - "(?i)consumer[-_]*secret"
          - "(?i)consumer[-_]*key"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: bitbucket_credentials
        group: 1
        regex:
          - '"consumer-key":\s*"([^"]+)"'
          - '"consumer-secret":\s*"([^"]+)"'
          - '"consumer_key":\s*"([^"]+)"'
          - '"consumer_secret":\s*"([^"]+)"'

      - type: regex
        name: bitbucket_oauth_block
        regex:
          - '"bitbucket-oauth":\s*\{[^}]+\}'
          - '"bitbucket":\s*\{[^}]+\}'
# digest: 4b0a00483046022100daf5c379d7425d219ed3884b4eb3d15d0f5f3dc75c9ed56bb5ea417f20f18ec5022100d76e4051a013522ab33c1ccd4a481fe649ec1c9919cc3735286b158810ef6387:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/exposures/files/bitbucket-oauth-exposure.yaml