HaE extension with regular expressions regex
-------------------------------------------------------------
Collect and categorise
These tools are useful when creating your own rule patterns:
-------------------------------------------------------------
Sensitive Secret
'google_api' : (r'AIza[0-9A-Za-z-_]{35}')
'firebase' : (r'AAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}')
'google_captcha' : (r'6L[0-9A-Za-z-_]{38}|^6[0-9a-zA-Z_-]{39}$')
'google_oauth' : (r'ya29\.[0-9A-Za-z\-_]+')
'amazon_aws_access_key_id' : (r'A[SK]IA[0-9A-Z]{16}')
'amazon_mws_auth_toke' : (r'amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}')
'amazon_aws_url' : (r's3\.amazonaws.com[/]+|[a-zA-Z0-9_-]*\.s3\.amazonaws.com')
'amazon_aws_url2' : (r"(" \)
(r"[a-zA-Z0-9-\.\_]+\.s3\.amazonaws\.com"\)
(r"|s3://[a-zA-Z0-9-\.\_]+"\)
(r"|s3-[a-zA-Z0-9-\.\_\/]+"\)
(r"|s3.amazonaws.com/[a-zA-Z0-9-\.\_]+"\)
(r"|s3.console.aws.amazon.com/s3/buckets/[a-zA-Z0-9-\.\_]+)")
'facebook_access_token' : (r'EAACEdEose0cBA[0-9A-Za-z]+')
'authorization_basic' : (r'basic [a-zA-Z0-9=:_\+\/-]{5,100}')
'authorization_bearer' : (r'bearer [a-zA-Z0-9_\-\.=:_\+\/]{5,100}')
'authorization_api' : (r'api[key|_key|\s+]+[a-zA-Z0-9_\-]{5,100}')
'mailgun_api_key' : (r'key-[0-9a-zA-Z]{32}')
'twilio_api_key' : (r'SK[0-9a-fA-F]{32}')
'twilio_account_sid' : (r'AC[a-zA-Z0-9_\-]{32}')
'twilio_app_sid' : (r'AP[a-zA-Z0-9_\-]{32}')
'paypal_braintree_access_token' : r'access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}')
'square_oauth_secret' : (r'sq0csp-[ 0-9A-Za-z\-_]{43}|sq0[a-z]{3}-[0-9A-Za-z\-_]{22,43}')
'square_access_token' : (r'sqOatp-[0-9A-Za-z\-_]{22}|EAAA[a-zA-Z0-9]{60}')
'stripe_standard_api' : (r'sk_live_[0-9a-zA-Z]{24}')
'stripe_restricted_api' : (r'rk_live_[0-9a-zA-Z]{24}')
'github_access_token' : (r'[a-zA-Z0-9_-]*:[a-zA-Z0-9_\-]+@github\.com*')
'rsa_private_key' : (r'-----BEGIN RSA PRIVATE KEY-----')
'ssh_dsa_private_key' : (r'-----BEGIN DSA PRIVATE KEY-----')
'ssh_dc_private_key' : (r'-----BEGIN EC PRIVATE KEY-----')
'pgp_private_block' : (r'-----BEGIN PGP PRIVATE KEY BLOCK-----')
'json_web_token' : (r'ey[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*$')
'slack_token' : (r"\"api_token\":\"(xox[a-zA-Z]-[a-zA-Z0-9-]+)\"")
'SSH_privKey' : (r"([-]+BEGIN [^\s]+ PRIVATE KEY[-]+[\s]*[^-]*[-]+END [^\s]+ PRIVATE KEY[-]+)")
'Heroku API KEY' : (r'[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}')
'possible_Creds' : (r"(?i)(")
(r"password\s*[`=:\"]+\s*[^\s]+|" \)
(r"password is\s*[`=:\"]*\s*[^\s]+|" \)
(r"pwd\s*[`=:\"]*\s*[^\s]+|" \)
(r"passwd\s*[`=:\"]+\s*[^\s]+)")Find Internol IP:
[^0-9]((127\.0\.0\.1)|(10\.\d{1,3}\.\d{1,3}\.\d{1,3})|(172\.((1[6-9])|(2\d)|(3[01]))\.\d{1,3}\.\d{1,3})|(192\.168\.\d{1,3}\.\d{1,3}))-------------------------------------------------------------
JavaScript DOM
(createElement("script"))
(URLSearchParams|location.search|(.split(("|'|`)(?|&)))
(write|innerHTML)(.*((+|,)( ?)(element|location|window|document).[a-zA-Z])
(URLSearchParams|getParams|getItem|document.URL|document.documentURI|document.URLUnencoded|document.baseURI|document.cookie|document.referrer|location|location.href|location.search|location.hash|location.pathname|window.name|data|value|sessionStorage|localStorage|localStorage.getItem(.split(("|'|`)(?|&)))-------------------------------------------------------------
Files & Endpoints
Dir:Admin
\/(admin|administrator)\/
File:Admin
(admin|administrator)\.?
API Endpoint
(api|rest|soap|v(1|2|3)|wp-json|swagger|)(.?)(jsp|json|/|)
File:Leak
([a-zA-Z0-9+].(bak|log|csv))(]|}|)|"|'|`|/|d|s)
Find Endpoint
([a-zA-Z0-9+].(php|asp|aspx|jsp|jspx|py|htm|html|do|cfm))(]|}|)|"|'|`|/|d|s)
Find Backup zip file
([a-zA-Z0-9+].(tar|tar\.gz|gz|z|xz|thz||zip|zipx||rar|bz2|lzh|7z|cab|csv))(]|}|)|"|'|`|/|d|s)
File:Sensitive
(((user|database|data|info|update|sql|db|dashboard|backup|restore|old|saved|storage|internal|access|secret|password)
File:Document
(s?)).(txt|ppt|pptx|pdf|py|rb|go|pl|sql|xml|jsp|java|doc|docs|xls|xlsx|csv|db|sql|bak|log|csv))(]|}|)|"|'|`|/|d|s)
-------------------------------------------------------------
XSS
[^s+-([{\=.?.)](""|''|``|(\\|\\\\)([^\]|"|'|`))
-------------------------------------------------------------
DBMS Error
(([A-Z]):\|(t|T)he server could not|database connection|syntax error, |error, unexpected |PHP (Syntax|Parse) error:|(php|PHP):|in ([a-zA-Z0-9-/_.]+) on line (d+))SQL Error
(mysql|mssql|sqlite|MariaDB|postgresql|)
(You have an error in your SQL syntax;)
(Error: Unknown column)
(Warning.*mysql_.*)
(valid MySQL result)
(MySqlClient\.)
(DB Error:)
(com\.mysql\.jdbc\.exceptions)
(warning mysql_)
(1062 Duplicate entry)
(Illegal mix of collations \([\w\s\,]+\) and \([\w\s\,]+\) for operation)(Unclosed quotation mark after the character string)
(Incorrect syntax near)
(Server Error in '/' Application0
(Microsoft SQL Native Client error)
(quotation mark after the)
(Syntax error in string in query expression)
(Microsoft OLE DB Provider)
(Error ([\d-]+) \([\dA-Fa-f]+\))
(com\.microsoft\.sqlserver\.jdbc\.SQLServerException)
(Invalid object name .+ bad SQL grammar)
(\[(ODBC SQL Server Driver|SQL Server|ODBC Driver Manager)\])
(Unclosed quotation mark)
(warning.*mssql_.*)
(Driver.* SQL[-_]*Server)
((\W|\A)SQL Server.*Driver)
(Conversion failed when converting the)
(Cannot initialize the data source object of OLE DB provider "[\w]*" for linked server "[\w]*")(ORA-00933: SQL command not properly ended)
(ORA-00933:)
(SQL command not properly ended)
(SQL command)
(quoted string not properly terminated)
(\bORA-[0-9]{5})
(Oracle.*Driver])
(Warning.*\Woci_.*)
(Warning.*\Wora_.*)
(Warning: oci_parse())(PSQLException:)
(ERROR:)
(unterminated quoted string at or near "'")
(Position: 1orQuery failed: ERROR:)
(syntax error at or near)
(PostgreSQL.*ERROR)
(Warning.*\Wpg_.*)
(valid PostgreSQL result)
(Npgsql\.)
(org\.postgresql\.util\.PSQLException)(SQLite/JDBCDriver)
(SQLite.Exception)
(System.Data.SQLite.SQLiteException)
(Warning.*sqlite_.*)
(Warning.*SQLite3::)
(\[SQLITE_ERROR\])(Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database Engine)(Microsoft JET Database Engine error '80040e14')(Microsoft OLE DB Provider for ODBC Drivers (0x80040E14))(DB2 SQL error)
(CLI Driver.*DB2)
(db2_\w+\()
(\bdb2_\w+\()(\[function.ibase.query\])
(Dynamic SQL Error)
(Warning.*ibase_.*)(org\.hsqldb\.jdbc)(Warning.*ingre_)
(Ingres SQLSTATE)
(Ingres\W.*Driver)
(HSQLDB)Last updated