Skip to content

Security: stop leaking API credentials in Recon tools (URL token + process argv)#1314

Closed
klausagnoletti wants to merge 2 commits into
danielmiessler:mainfrom
klausagnoletti:fix/security-credential-leak-recon-tools
Closed

Security: stop leaking API credentials in Recon tools (URL token + process argv)#1314
klausagnoletti wants to merge 2 commits into
danielmiessler:mainfrom
klausagnoletti:fix/security-credential-leak-recon-tools

Conversation

@klausagnoletti

Copy link
Copy Markdown

Summary

Two credential-exposure issues in Packs/Security/src/Recon/Tools/, found during a security audit of a PAI install.

1. IpinfoClient.ts - API token in URL query string

Both lookup() and batchLookup() built the request as https://ipinfo.io/...?token=${this.apiKey}. URL query strings are routinely captured in proxy logs, upstream/CDN access logs, and client history, so the ipinfo token leaks anywhere along the path. Fixed by sending it as an Authorization: Bearer <token> header (ipinfo.io supports this), which is not logged the same way.

2. SubdomainEnum.ts - API key in process arguments

runChaos() ran $`chaos -key ${key} -d ${domain} -silent` , putting PDCP_API_KEY in the process argument list where any local user/process can read it via ps//proc. chaos already reads PDCP_API_KEY from the environment, so the key is now passed via .env() and dropped from argv.

Impact

Credential disclosure (low-to-moderate): leaked API keys for ipinfo.io and ProjectDiscovery. No functional change to results.

Testing

Behavior unchanged (same endpoints, same auth, same output). Header auth verified against ipinfo.io's documented Authorization: Bearer support; chaos verified to read PDCP_API_KEY from env.

Note

A related subprocess(shell=True) in WebAssessment/WebappScripts/with_server.py was reviewed and left as-is: it executes the operator's own --server command at their existing shell privilege (needs cd/&&), so it is by-design rather than a vulnerability.

Klaus Agnoletti added 2 commits May 29, 2026 17:18
IpinfoClient.ts sent the ipinfo.io token as a ?token= URL query parameter on
both the single and batch lookups; URL query strings are routinely captured in
proxy logs, server access logs, and browser/agent history. Move the token to an
Authorization: Bearer header.

SubdomainEnum.ts passed the ProjectDiscovery key as 'chaos -key <key>', exposing
it in the process argument list (visible to any local process via ps/procfs).
chaos already reads PDCP_API_KEY from the environment, so pass it via env instead.
Document why shell=True is intentional here (operator-supplied local --server
command at the caller's own shell privilege, needs cd/&&). No behavior change;
adds a # nosec note so scanners stop flagging a non-vulnerability.
@danielmiessler

Copy link
Copy Markdown
Owner

Thanks @klausagnoletti — good security eyes. The safe patterns here are already in the current source: IpinfoClient sends the token via the Authorization header rather than the URL query string, and SubdomainEnum passes the key to chaos through the environment rather than argv, so tokens do not land in proxy logs or the process list. The with_server.py shell=True is an operator-supplied local command at the same trust level as the shell invoking it, so there is no privilege boundary to cross there. Nothing left to change. This repo is generated from our source tree, so we close rather than merge. Please pull the latest. Appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants