pentest-secrets-exposure
Pentest Secrets Exposure
Purpose
Spans multiple unchecked WSTG categories — CONF-03/04 (sensitive files, backups), INFO-05 (info leakage), ERRH-01/02 (error handling, stack traces). Shannon's pre-recon focuses on architecture, not systematic secrets discovery.
Prerequisites
Authorization Requirements
- Written authorization with source code access scope (if white-box)
- Git repository access for history mining (if applicable)
- Target URL list for exposed file probing
Environment Setup
- TruffleHog for git history secret scanning
- GitLeaks for pattern-based secret detection
- Semgrep with secrets ruleset
- nuclei with exposure templates
Core Workflow
More from jd-opensource/joysafeter
pentest-osint-recon
Open Source Intelligence gathering and attack surface management for external reconnaissance.
89pentest-mobile-app
OWASP Mobile Top 10 security testing for Android and iOS — local storage, certificate pinning bypass, IPC abuse, and binary protections.
59pentest-api-deep
Deep OWASP API Security Top 10 testing for REST, GraphQL, gRPC, and WebSocket APIs — BFLA, mass assignment, rate limiting, and unsafe consumption.
58pentest-exploit-validation
Proof-driven exploitation with 4-level evidence system, bypass exhaustion protocol, mandatory evidence checklists, and strict EXPLOITED/POTENTIAL/FALSE_POSITIVE classification.
54pentest-ai-llm-security
AI/LLM application security testing — prompt injection, jailbreaking, data exfiltration, and insecure output handling per OWASP LLM Top 10.
54pentest-ctf-binary
Binary exploitation (Pwn) and reverse engineering tools for CTF challenges and software analysis.
50