Supported secrets | Fluid Attacks Help

Supported secrets

Supported

Currently, these are the secrets Fluid Attacks can detect:
  1. API keys
  2. AWS credentials
  3. Database connection passwords
  4. Express-session secrets
  5. Hardcoded emails (in security-related contexts)
  6. Hardcoded environment variables (e.g., api_keypasswordsecret)
  7. Hardcoded secrets in cryptographic calls
  8. Initialization vectors
  9. JWT
  10. Private keys
  11. RSA keys
  12. Salts
  13. SonarQube tokens and passwords (in identifiable fields)
  14. SSH keys
  15. Symmetric keys
  16. Other attack vectors and secrets exploitability obtained manually (only in the Advanced plan)

Unsupported

Fluid Attacks' secret support does not currently include the following:
  1. Azure secrets
  2. Cloud storage keys
  3. Firebase secrets
  4. GCP credentials
  5. GitHub tokens
  6. Google Service Account keys
  7. Kubernetes secrets
  8. MFA tokens
  9. OAuth tokens
  10. Payment processor API keys
  11. Sensitive configuration files
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.