SecretFinder | Python Script Based Tool

SecretFinder Python Script Based Tool

Hello, guys here I am with a new tool this is python based script tool, and the name of this tool is secretfinder. It is based on linkfinder. It is also available for burpsuite with extensions. It is used for finding/fetching secret keys, access tokens, authorizations, jwt, and much more sensitive information in js files. it’s widely used for web testing. in this tool we have jsbeautifier we will get results in clear and regular expressions.

The output is given in plain text or HTML.


Installation of this tool:

Firstly go on this link:

And Follow these commands:

$ git clone secretfinder

Clone this link in your terminal you will successfully download by link.

$ cd secretfinder

Go to this directory.

$pip3 install -r requirements.txt

Install all requirements of secretfinder with pip3

$ python3

finally run this python script(Secretfinder) with python3.


Basics use of secretfinder  find the sensitive file with default regex in an online Javascript file.

python3 -i -o results.html

Output in cli :

python3 -i -o cli

Analysing fully entire domain and extract/fetch js file in domains.

python3 -i -e

use your own regex.

python3 -i -o cli -r 'apikey=my.api.key[a-zA-Z]+'

Add Your Own Regex in Secretfinder

firstly Open Your and make your own regex and add it:

_regex = {
    'google_api'     : r'AIza[0-9A-Za-z-_]{35}',
    'google_captcha' : r'6L[0-9A-Za-z-_]{38}|^6[0-9a-zA-Z_-]{39}$',
    'google_oauth'   : r'ya29\.[0-9A-Za-z\-_]+',
    'amazon_aws_access_key_id' : r'A[SK]IA[0-9A-Z]{16}',
    'amazon_mws_auth_toke' : r'amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}',
    'amazon_aws_url' : r's3\[/]+|[a-zA-Z0-9_-]*\.s3\',
    'facebook_access_token' : r'EAACEdEose0cBA[0-9A-Za-z]+',
    'authorization_basic' : r'basic\s*[a-zA-Z0-9=:_\+\/-]+',
    'authorization_bearer' : r'bearer\s*[a-zA-Z0-9_\-\.=:_\+\/]+',
    'authorization_api' : r'api[key|\s*]+[a-zA-Z0-9_\-]+',
    'mailgun_api_key' : r'key-[0-9a-zA-Z]{32}',
    'twilio_api_key' : r'SK[0-9a-fA-F]{32}',
    'twilio_account_sid' : r'AC[a-zA-Z0-9_\-]{32}',
    'twilio_app_sid' : r'AP[a-zA-Z0-9_\-]{32}',
    'paypal_braintree_access_token' : r'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}',
    'square_oauth_secret' : r'sq0csp-[ 0-9A-Za-z\-_]{43}|sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}',
    'square_access_token' : r'sqOatp-[0-9A-Za-z\-_]{22}|EAAA[a-zA-Z0-9]{60}',
    'stripe_standard_api' : r'sk_live_[0-9a-zA-Z]{24}',
    'stripe_restricted_api' : r'rk_live_[0-9a-zA-Z]{24}',
    'github_access_token' : r'[a-zA-Z0-9_-]*:[a-zA-Z0-9_\-]+@github\.com*',
    'rsa_private_key' : r'-----BEGIN RSA PRIVATE KEY-----',
    'ssh_dsa_private_key' : r'-----BEGIN DSA PRIVATE KEY-----',
    'ssh_dc_private_key' : r'-----BEGIN EC PRIVATE KEY-----',
    'pgp_private_block' : r'-----BEGIN PGP PRIVATE KEY BLOCK-----',
    'json_web_token' : r'ey[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$',

    'name_for_my_regex' : r'my_regex',
    # for example
    'example_api_key'    : r'^example\w+{10,50}'





About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?