TL;DR Release of Conkeyscan – A Confluence Keyword/Secret Scanner, which is tailored towards pentesters.
Many companies, especially larger ones, need to store knowledge in a centralized way. A wiki is the usual choice for this. One product that is frequently used for this purpose is Confluence from Atlassian. Similar to how sensitive data being stored on traditional shares, sensitive data is quite often stored in Wikis as well. Finding these secrets is the core feature of Conkeyscan – A Pentesters Confluence Keyword Scanner.
The publicly available tooling to scan Confluence Wikis for keywords and secrets is quite extensive, but it is not primarily aimed at offensive security testers. In contrast, there are various tools for compliance scans, some of which can also be used in pentesting situations but with some drawbacks. This led to the creation of Conkeyscan.
Conkeyscan is available to the community on GitHub https://github.com/CompassSecurity/conkeyscan and can be installed via PyPI.
pip install conkeyscan
A minimal scan can then be started as follows:
conkeyscan -url 'https://example.atlassian.net' --username '[email protected]' --password 'ATAT...'
2024-03-06 15:09:32.693 | INFO | conkeyscan.conkeyscan:main:165 - Applying rate limit of 100 requests per second
2024-03-06 15:09:32.696 | INFO | conkeyscan.conkeyscan:main:205 - Searching as user [email protected]
2024-03-06 15:09:32.696 | INFO | conkeyscan.conkeyscan:main:206 - Searching for 123 keywords
2024-03-06 15:09:32.696 | INFO | conkeyscan.conkeyscan:main:207 - Logging to conkeyscan_results_2024_03_06_15_09.log and stdout
2024-03-06 15:09:32.696 | INFO | conkeyscan.conkeyscan:main:208 - Storing results to ./results
2024-03-06 15:09:37.066 | INFO | conkeyscan.conkeyscan:extract_keyword_hits:68 - [Keyword: authorization_key] [URL: https://example.atlassian.net/wiki/spaces/SD/pages/6422530/authorization_key] [Title: authorization_key] [authorization_key test my number is very_secret_info]
2024-03-06 15:09:40.720 | INFO | conkeyscan.conkeyscan:extract_keyword_hits:68 - [Keyword: key] [URL: https://example.atlassian.net/wiki/spaces/~712020f4c03a500e1b4cbeb9805d2430478027/pages/33137/secret+test+page] [Title: secret test page] [key zaCELgL. 0imfbc8mVLKWwsAawjYr4Rx-Bf50DDqtlx-----BE]
Note: As always it is much more efficient to use a customized dictionary instead of using the built-in one.
Conkeyscan uses the search API and then scans the relevant pages and exports the hits to a Logfile and stores the scanned pages as JSON files to disk for further analysis.
It makes no difference whether a self-hosted or cloud Confluence is scanned. The authentication methods supported are passwords or API keys.
The following features have been implemented:
The options:
conkeyscan -h
Usage: conkeyscan [OPTIONS]
Scan Confluence for keywords using CQL search queries
Options:
-u, --url=STR URL of the Confluence instance
--username, --usr=STR The username of the account to be used
--password, --pwd=STR The according password OR an API key!
-d, --dict-path=STR The path to the dictionary file containing the keywords to search for, falls back to included dict (default:
./src/conkeyscan/config/dict.txt)
-c, --cql=STR A custom CQL query which must include KEYWORD_PLACEHOLDER at least once in the string which will be repalced by the keyword (default:
{text~"KEYWORD_PLACEHOLDER"})
-k, --disable-ssl-checks=BOOL Specify whether to verify SSL/TLS certificates (default: True)
-r, --rate-limit=INT Max requests per second (default: 100)
-p, --proxy=STR The HTTP or SOCKS proxy to be used (examples: socks5://127.0.0.1:1337 or http://127.0.0.1:8080 ) (default: )
-a, --user-agent=STR Custom user agent string (default randomly selected) (default: )
-l, --log-level=STR Custom loguru log level, one of: TRACE, DEBUG, INFO, SUCCESS, WARNING, ERROR, CRITICAL (default: INFO)
Other actions:
-h, --help Show the help
Currently page history, comments or attachments are excluded from the scan. Moreover, it is not possible to scan all pages; other tools such as n0s1 are better suited for this.
If you want to contribute a feature or bug fix, feel free to create a pull request or an issue!