Conversation
| { | ||
| "Name": "TOTP URI", | ||
| "Regex": "^([^?\\n]+:\/\/totp\/[^\\n]+secret=[A-Z2-7=]+[^\\n]+)$", | ||
| "plural_name": false, | ||
| "Description": "TOTP URI with user secret key", | ||
| "Rarity": 1, | ||
| "URL": "", | ||
| "Tags": [ | ||
| "Credentials", | ||
| "TOTP" | ||
| ] | ||
| }, |
There was a problem hiding this comment.
| { | |
| "Name": "TOTP URI", | |
| "Regex": "^([^?\\n]+:\/\/totp\/[^\\n]+secret=[A-Z2-7=]+[^\\n]+)$", | |
| "plural_name": false, | |
| "Description": "TOTP URI with user secret key", | |
| "Rarity": 1, | |
| "URL": "", | |
| "Tags": [ | |
| "Credentials", | |
| "TOTP" | |
| ] | |
| }, | |
| { | |
| "Name": "Time-Based One-Time Password (TOTP) URI", | |
| "Regex": "^([^?\\n]+:\/\/totp\/[^\\n]+secret=[A-Z2-7=]+[^\\n]+)$", | |
| "plural_name": false, | |
| "Description": null, | |
| "Rarity": 1, | |
| "URL": null, | |
| "Tags": [ | |
| "Credentials", | |
| "TOTP", | |
| "Bug Bounty" | |
| ] | |
| }, |
There was a problem hiding this comment.
Why not ! Not sure about the bug bounty tag though. I guess it would be rather useful for a pentester, searching for vulnerabilities/credentials and not proper bugs.
There was a problem hiding this comment.
Well, I'll leave the Bug Bounty tag. Looking at other entries in regex.json I see it associated with similar topics like API keys.
There was a problem hiding this comment.
Not sure about the bug bounty tag though
If you have this URL, you can access someones 2FA right? That's definitely a vuln :)
There was a problem hiding this comment.
Yep, the secret arg value is what you need to get the 2FA code. This kind of URI is what is inside QR Codes provided by all websites. And you can also find it inside backup files made by people using Authy, Google Authenticator, Bitwarden, etc.
tests/test_click.py
Outdated
| def test_file_fixture_totp_URI(): | ||
| runner = CliRunner() | ||
| result = runner.invoke(main, ["fixtures/file"]) | ||
| assert result.exit_code == 0 | ||
| assert re.findall("TOTP URI", str(result.output)) |
tests/test_regex_identifier.py
Outdated
| res = r.check( | ||
| [ | ||
| "otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example" | ||
| ] | ||
| ) | ||
| assert "TOTP URI" in str(res) |
There was a problem hiding this comment.
Can we assert it's the first item? We have a function for this at the top of this file :) _assert_match_first_item
There was a problem hiding this comment.
Yep, just tested it, it does work. I think I had a doubt with regular URL match but it indeed come as first item.
|
Woo! Thanks :) gonna merge! 🥳 |
Codecov Report
@@ Coverage Diff @@
## main #190 +/- ##
==========================================
+ Coverage 92.06% 92.11% +0.05%
==========================================
Files 13 13
Lines 1600 1611 +11
==========================================
+ Hits 1473 1484 +11
Misses 127 127
Continue to review full report at Codecov.
|
|
Ok, just pushed the above edits and added a more complex test, especially to test arguments position swapping inside the URI. |
This commit adds TOTP URIs regex and related tests.
You might find TOTP URIs in Google Authenticator, Authy, Bitwarden, etc. backups. Or just anywhere if you're doing Android/iOS pentesting. And with its base-32 key, TOTP is all yours !
I might add some other pentesting related regex in the next few days :)