Security: stop leaking API credentials in Recon tools (URL token + process argv)#1314
Open
klausagnoletti wants to merge 2 commits into
Open
Conversation
added 2 commits
May 29, 2026 17:18
IpinfoClient.ts sent the ipinfo.io token as a ?token= URL query parameter on both the single and batch lookups; URL query strings are routinely captured in proxy logs, server access logs, and browser/agent history. Move the token to an Authorization: Bearer header. SubdomainEnum.ts passed the ProjectDiscovery key as 'chaos -key <key>', exposing it in the process argument list (visible to any local process via ps/procfs). chaos already reads PDCP_API_KEY from the environment, so pass it via env instead.
Document why shell=True is intentional here (operator-supplied local --server command at the caller's own shell privilege, needs cd/&&). No behavior change; adds a # nosec note so scanners stop flagging a non-vulnerability.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two credential-exposure issues in
Packs/Security/src/Recon/Tools/, found during a security audit of a PAI install.1.
IpinfoClient.ts- API token in URL query stringBoth
lookup()andbatchLookup()built the request ashttps://ipinfo.io/...?token=${this.apiKey}. URL query strings are routinely captured in proxy logs, upstream/CDN access logs, and client history, so the ipinfo token leaks anywhere along the path. Fixed by sending it as anAuthorization: Bearer <token>header (ipinfo.io supports this), which is not logged the same way.2.
SubdomainEnum.ts- API key in process argumentsrunChaos()ran$`chaos -key ${key} -d ${domain} -silent`, puttingPDCP_API_KEYin the process argument list where any local user/process can read it viaps//proc.chaosalready readsPDCP_API_KEYfrom the environment, so the key is now passed via.env()and dropped from argv.Impact
Credential disclosure (low-to-moderate): leaked API keys for ipinfo.io and ProjectDiscovery. No functional change to results.
Testing
Behavior unchanged (same endpoints, same auth, same output). Header auth verified against ipinfo.io's documented
Authorization: Bearersupport; chaos verified to readPDCP_API_KEYfrom env.Note
A related
subprocess(shell=True)inWebAssessment/WebappScripts/with_server.pywas reviewed and left as-is: it executes the operator's own--servercommand at their existing shell privilege (needscd/&&), so it is by-design rather than a vulnerability.