Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new RegEx for facebook tokens #225

Merged
4 commits merged into from
Nov 10, 2021
Merged

Add new RegEx for facebook tokens #225

4 commits merged into from
Nov 10, 2021

Conversation

nodtem66
Copy link
Contributor

@nodtem66 nodtem66 commented Nov 1, 2021

Prerequisites

Why do we need this pull request?

What GitHub issues does this fix?

Copy / paste of output

Please copy and paste the output of PyWhat with your new addition using an example that tests this addition below:

pywhat "12013331233|asdqwe12312312asdaslwke123asdalwfldfqwe"
<b>
Matched on: 12013331233|asdqwe12312312asdaslwke123asdalwfldfqwe
Name: Facebook App Token
Link:  https://developers.facebook.com/tools/debug/accesstoken/?access_token=12013331233|asdqwe12312312asdaslwke123asdal
wfldfqwe</b>
 pywhat "EAujR29N634fMDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4uBV4n6ugPUp6whoIco3dI0uOLyQ4mFx2xp56N0vXqwUuixvlMP6K1JKBSrj30NOXDVvUc20TuqH968ZYg253m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt2yl1pGUmyPN6x79Dp1YqDv4seodn2"
Matched on: Pcagf55ZpzH5s4UZQBl49z0wbI6L4uBV4n6ugPUp6w
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/Pcagf55ZpzH5s4UZQBl49z0wbI6L4uBV4n6ugPUp6w

Matched on: Q4mFx2xp56N0vXqwUuixvlMP6K1JKBSrj30NOXDVvU
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/Q4mFx2xp56N0vXqwUuixvlMP6K1JKBSrj30NOXDVvU

Matched on: qH968ZYg253m96wMH2uK8tKE743hAJ747yrFMP4E7Z
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/qH968ZYg253m96wMH2uK8tKE743hAJ747yrFMP4E7Z

Matched on: EAujR29N634fMDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4uBV4n6ugPUp6whoIco3dI0uOLyQ4mFx2xp56N0vXqwUuixvlMP6K1JKBSrj30N
OXDVvUc20TuqH968ZYg253m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt2yl1pGUmyPN6x79Dp1YqDv4seodn2
Name: Facebook Access Token
Link:  https://developers.facebook.com/tools/debug/accesstoken/?access_token=EAujR29N634fMDl1lPcagf55ZpzH5s4UZQBl49z0wbI
6L4uBV4n6ugPUp6whoIco3dI0uOLyQ4mFx2xp56N0vXqwUuixvlMP6K1JKBSrj30NOXDVvUc20TuqH968ZYg253m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt
2yl1pGUmyPN6x79Dp1YqDv4seodn2

Matched on: 3m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt
Name: Bitcoin (₿) Wallet Address
Link:  https://www.blockchain.com/btc/address/3m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt

Matched on: 1pGUmyPN6x79Dp1YqDv4seodn2
Name: Bitcoin (₿) Wallet Address
Link:  https://www.blockchain.com/btc/address/1pGUmyPN6x79Dp1YqDv4seodn2

Matched on: N634
Name: Latitude & Longitude Coordinates
Link:  https://www.google.com/maps/place/N634

Matched on: E743
Name: Latitude & Longitude Coordinates
Link:  https://www.google.com/maps/place/E743

Matched on: MDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/MDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4

Matched on: LyQ4mFx2xp56N0vXqwUuixvlMP6K1JKBSr
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/LyQ4mFx2xp56N0vXqwUuixvlMP6K1JKBSr

Matched on: m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt2
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/m96wMH2uK8tKE743hAJ747yrFMP4E7Zpt2

Matched on: R29N634fMDl1lPcagf55ZpzH5s4UZQBl49
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/R29N634fMDl1lPcagf55ZpzH5s4UZQBl49

Matched on: rj30NOXDVvUc20TuqH968ZYg253m96wMH2
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/rj30NOXDVvUc20TuqH968ZYg253m96wMH2

Matched on: rFMP4E7Zpt2yl1pGUmyPN6x79Dp1YqDv4s
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/rFMP4E7Zpt2yl1pGUmyPN6x79Dp1YqDv4s

Matched on: 634fMDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4uB
Name: Google ReCaptcha API Key
Exploit: Use the command below to verify that API key is valid:
  $ curl -X POST -d "secret=634fMDl1lPcagf55ZpzH5s4UZQBl49z0wbI6L4uB&response=RESPONSE_TO_VERIFY"
https://www.google.com/recaptcha/api/siteverify


Matched on: 6ugPUp6whoIco3dI0uOLyQ4mFx2xp56N0vXqwUui
Name: Google ReCaptcha API Key
Exploit: Use the command below to verify that API key is valid:
  $ curl -X POST -d "secret=6ugPUp6whoIco3dI0uOLyQ4mFx2xp56N0vXqwUui&response=RESPONSE_TO_VERIFY"
https://www.google.com/recaptcha/api/siteverify


Matched on: 6K1JKBSrj30NOXDVvUc20TuqH968ZYg253m96wMH
Name: Google ReCaptcha API Key
Exploit: Use the command below to verify that API key is valid:
  $ curl -X POST -d "secret=6K1JKBSrj30NOXDVvUc20TuqH968ZYg253m96wMH&response=RESPONSE_TO_VERIFY"
https://www.google.com/recaptcha/api/siteverify

- Add new RegEx and tests for facebook app tokens and access token
  based on v12 API
  https://developers.facebook.com/docs/facebook-login/access-tokens/
@bee-san
Copy link
Owner

bee-san commented Nov 2, 2021

@amadejpapez @piatrashkakanstantinass
image

Those false positives though

Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove the fixture/file additions and tests added to test_click.py? Also, I think that the rarity of both these regexes should be lowered since false positives are highly likely.

@nodtem66
Copy link
Contributor Author

nodtem66 commented Nov 3, 2021

@bee-san I feel the same.
I've tried the new RegEx, but it means nothing.
Did you have any suggestions?

@piatrashkakanstantinass Yes

- Remove testcases from fixtures/file and test_click.py
- Adjust the rarity of Access token and App token to 0.2 and 0.3,
  respectively
@ghost
Copy link

ghost commented Nov 3, 2021

We have discussed this PR with the team, and it seems that your regexes can be improved. The access token regex should be ^(EAARE0ZA[0-9A-Za-z]{190,})$, this way it is more restrictive. You can ask questions on our discord so we can answer you faster.

@nodtem66
Copy link
Contributor Author

nodtem66 commented Nov 3, 2021

@bee-san @piatrashkakanstantinass Done

  • Remove test cases from fixtures/file and test_click.py

  • Adjust the rarity of Access token and App token to 0.2 and 0.3,
    respectively.

    The access token is broad, almost no specific characters, matching the rarity of 0.2
    Likewise, the app token has only a few specific characters (the letter | in the middle), matching the rarity of 0.3

App token

> poetry run pywhat '1201566843289141|WG1OAKQ-dY0lSj5NKyA6uFkvF7w'
Matched on: 1201566843289
Name: Phone Number

Matched on: 120156684
Name: American Social Security Number
Description: An American Identification Number

Matched on: 1201566843289141|WG1OAKQ-dY0lSj5NKyA6uFkvF7w
Name: Facebook App Token
Link:
https://developers.facebook.com/tools/debug/accesstoken/?access_token=1201566843289141|WG1OAKQ-dY0lSj5NKyA6uFkvF7w

Matched on: 12015668432
Name: Turkish Identification Number

Access token

> poetry run pywhat --disable-boundaryless 'EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc'
Matched on: EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ
4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc
Name: Facebook Access Token
Link:  https://developers.facebook.com/tools/debug/accesstoken/?access_token=EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJu
OSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbq
ttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc
> poetry run pywhat 'EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc'
Matched on: PjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZC
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/PjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZC

Matched on: pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIg
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIg

Matched on: qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB
Name: Bitcoin Cash (BCH) Wallet Address
Link:  https://www.blockchain.com/bch/address/qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB

Matched on: S95
Name: Latitude & Longitude Coordinates
Link:  https://www.google.com/maps/place/S95

Matched on: m2L2aWdtNXOSscOnMYktEPYJuOSrteSQZC
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/m2L2aWdtNXOSscOnMYktEPYJuOSrteSQZC

Matched on: mEnju6XItaRhija3pA7LFPHquTbi4IDZC8
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/mEnju6XItaRhija3pA7LFPHquTbi4IDZC8

Matched on: MByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZ
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/MByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZ

Matched on: Mf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB
Name: Litecoin (LTC) Wallet Address
Link:  https://live.blockcypher.com/ltc/address/Mf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB

Matched on: RE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYk
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/RE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYk

Matched on: rteSQZCh9VWVVKnhSSYNumEnju6XItaRhi
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/rteSQZCh9VWVVKnhSSYNumEnju6XItaRhi

Matched on: RDbqttxauxIDgBRYJ7zZABXe9V0CY872DU
Name: Ripple (XRP) Wallet Address
Link:  https://xrpscan.com/account/RDbqttxauxIDgBRYJ7zZABXe9V0CY872DU

Matched on: 6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJ
Name: Google ReCaptcha API Key
Exploit: Use the command below to verify that API key is valid:
  $ curl -X POST -d "secret=6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJ&response=RESPONSE_TO_VERIFY"
https://www.google.com/recaptcha/api/siteverify


Matched on: 6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB
Name: Google ReCaptcha API Key
Exploit: Use the command below to verify that API key is valid:
  $ curl -X POST -d "secret=6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgB&response=RESPONSE_TO_VERIFY"
https://www.google.com/recaptcha/api/siteverify


Matched on: EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJuOSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ
4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbqttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc
Name: Facebook Access Token
Link:  https://developers.facebook.com/tools/debug/accesstoken/?access_token=EAARE0ZATePjUBAFxfm2L2aWdtNXOSscOnMYktEPYJu
OSrteSQZCh9VWVVKnhSSYNumEnju6XItaRhija3pA7LFPHquTbi4IDZC8k9EMByeQ4NJzCFsc40FMIQIgvnCTOK5qt6xBZCUMf7S95X6nnqCUVw2iS0DRDbq
ttxauxIDgBRYJ7zZABXe9V0CY872DUl3BfyINIYfCXmRZC8loACc

@codecov-commenter
Copy link

codecov-commenter commented Nov 7, 2021

Codecov Report

Merging #225 (b720538) into main (a5a4a3b) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #225   +/-   ##
=======================================
  Coverage   92.60%   92.60%           
=======================================
  Files          15       15           
  Lines        1217     1217           
=======================================
  Hits         1127     1127           
  Misses         90       90           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a5a4a3b...b720538. Read the comment docs.

@ghost ghost enabled auto-merge November 10, 2021 10:47
@ghost ghost disabled auto-merge November 10, 2021 10:47
@ghost
Copy link

ghost commented Nov 10, 2021

The regexes clearly have some false positives, so we should improve the output order, add interactive mode or something like that. @bee-san @amadejpapez thoughts?

@ghost ghost merged commit 69da611 into bee-san:main Nov 10, 2021
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Find / add tests for API keys!
3 participants