Merge pull request #112 from blacklanternsecurity/new_keys_jan_2024

New keys Jan 2024
blacklanternsecurity · Jan 30, 2024 · 0b07831 · 0b07831
2 parents 0c379d3 + 2685a4d
commit 0b07831
Show file tree

Hide file tree

Showing 17 changed files with 125,989 additions and 39,087 deletions.
diff --git a/badsecrets/modules/django_signedcookies.py b/badsecrets/modules/django_signedcookies.py
@@ -10,7 +10,7 @@ class DjangoSignedCookies(BadsecretsBase):
     def check_secret(self, django_signed_cookie):
         if not self.identify(django_signed_cookie):
             return False
-        for l in set(list(self.load_resources(["django_secret_keys.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["django_secret_keys.txt", "top_100000_passwords.txt"]))):
             secret_key = l.rstrip()
             try:
                 r = djangoLoads(

diff --git a/badsecrets/modules/express_signedcookies_cs.py b/badsecrets/modules/express_signedcookies_cs.py
@@ -63,7 +63,7 @@ def check_secret(self, express_signed_cookie_data, *args):
         if not sig:
             return False
 
-        for l in set(list(self.load_resources(["express_session_secrets.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["express_session_secrets.txt", "top_100000_passwords.txt"]))):
             secret = l.rstrip()
             r = self.expressVerify_cs(express_signed_cookie_data, sig, secret)
             if r:

diff --git a/badsecrets/modules/express_signedcookies_es.py b/badsecrets/modules/express_signedcookies_es.py
@@ -52,7 +52,7 @@ def check_secret(self, express_signed_cookie):
         if not self.identify(express_signed_cookie):
             return False
 
-        for l in set(list(self.load_resources(["express_session_secrets.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["express_session_secrets.txt", "top_100000_passwords.txt"]))):
             session_secret = l.rstrip()
 
             r = self.expressVerify_es(express_signed_cookie, session_secret)

diff --git a/badsecrets/modules/flask_signedcookies.py b/badsecrets/modules/flask_signedcookies.py
@@ -12,7 +12,7 @@ class Flask_SignedCookies(BadsecretsBase):
     def check_secret(self, flask_cookie):
         if not self.identify(flask_cookie):
             return None
-        for l in set(list(self.load_resources(["flask_secret_keys.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["flask_secret_keys.txt", "top_100000_passwords.txt"]))):
             password = l.rstrip()
             r = flaskVerify(value=flask_cookie, secret=password)
             if r:

diff --git a/badsecrets/modules/generic_jwt.py b/badsecrets/modules/generic_jwt.py
@@ -88,7 +88,7 @@ def check_secret(self, JWT):
             return None
 
         if algorithm[0].lower() == "h":
-            for l in self.load_resources(["jwt_secrets.txt"]):
+            for l in self.load_resources(["jwt_secrets.txt", "top_100000_passwords.txt"]):
                 key = l.strip()
 
                 r = self.jwtVerify(JWT, key, algorithm)

diff --git a/badsecrets/modules/jsf_viewstate.py b/badsecrets/modules/jsf_viewstate.py
@@ -230,7 +230,7 @@ def check_secret(self, jsf_viewstate_value):
             else:
                 jsf_viewstate_value = base64.b64encode(uncompressed)
 
-        for l in set(list(self.load_resources(["jsf_viewstate_passwords.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["jsf_viewstate_passwords.txt", "top_100000_passwords.txt"]))):
             with suppress(ValueError):
                 password = l.rstrip()
                 if self.DES3_decrypt(jsf_viewstate_value, password):

diff --git a/badsecrets/modules/peoplesoft_pstoken.py b/badsecrets/modules/peoplesoft_pstoken.py
@@ -32,7 +32,7 @@ def check_secret(self, PS_TOKEN_B64):
         if h.digest() == SHA1_mac:
             return {"secret": f"Username: {username} Password: BLANK PASSWORD!", "details": None}
 
-        for l in set(list(self.load_resources(["peoplesoft_passwords.txt", "top_10000_passwords.txt"]))):
+        for l in set(list(self.load_resources(["peoplesoft_passwords.txt", "top_100000_passwords.txt"]))):
             password = l.strip()
 
             h = hashlib.sha1(PS_TOKEN_DATA + password.encode("utf_16_le", errors="ignore"))

diff --git a/badsecrets/resources/aspnet_machinekeys.txt b/badsecrets/resources/aspnet_machinekeys.txt
diff --git a/badsecrets/resources/django_secret_keys.txt b/badsecrets/resources/django_secret_keys.txt
@@ -721,4 +721,11 @@ zze11wwtq=o$lrx^afg(5@*40n6@=#jrgi0grj0rlybv_u^7s!
 zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
 {{ secret_key }}
 ~*secret-key*~
-~this_is_a_super_secret_passphrase_that_must_not_be_made_public~
+~this_is_a_super_secret_passphrase_that_must_not_be_made_public~
+django-insecure-aoc9h$2+(d=$j^d6y5!1i=mc8p2yk)9rj&2woaje1oant$svhv
+django-insecure-ml49cp(e)=yakpevh4xz)3w)6xuq6kv7g&3^xf^)gr-n3&p#%9
+*%0e@-7suq*h#2(srya8n&lhb(qy+73xj_db)tpq4qenknk2%
+encryptedsecretkey
+encrptedsecretkey
+6ps8j!crjgrxt34cqbqn7x&b3y%(fny8k8nh21+qa)%ws3fh!q
+django-insecure-rt@&+(5fp=+$$hj87no^w40l&d-q6wk5b3jdvos_=kt#@+85b8f