MCP Security Alert: MarkItDown, Archon OS, Kubectl MCP
Read the Latest Research
Open Software Supply Chain Attack Reference (OSC&R) > T0112 - Compromised token

Realms:

SCM Posture Secrets Hygiene Code Security Cloud Security CI/CD Posture Artifact Security

T0112 - Compromised token

Access to third party APIs typically uses a token to authenticate acces. This token is usually a randomized string that is auto-generated by the API provider and should be at least 16 characters or more. This token is passed with a request to the API provider and if the token is valid, the request is successful. Each of these tokens will usually have a set of permissions applied to it that authorizes it to perform very simple read operations, or more complex write and delete operations. Unfortunately, these tokens are often accidentally embedded in applications via source code or Javascript variable exposure. Attackers will often scan web applications URLs or public git repositories for exposed credentials to then in turn use those found credentials to gain access to the victims resources.
ID: T0112
Type: Technique
Tactic: Initial Access
Summary: Compromised token
State: Draft

Mitigations

ID
TYPE
SUMMARY
DESCRIPTION
M1120
Mitigation
Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1121
Mitigation
Mitigation Enable git hooks to find source code related issues early Enable git hooks to automate the scanning of source code before it is published via git commits.
All Git implementations include a hooks directory inthe .git base directory. In that directory are several git automations called "hooks". These hooks will automatically run scripts when certain actions happen. The best example of this is the pre-commit hook that runs before a git commit is successful. If the script has actions inside it to run things like software composition (SCA) or static analysis tooling (SAST), then those tests must pass before the commit will succeed.
M1122
Mitigation
Mitigation Implement token management best practices Follow token management best practices, such as generating tokens with sufficient entropy and length (e.
g., at least 16 characters), rotating tokens periodically, and avoiding hardcoding tokens in source code or scripts.
M1123
Mitigation
Mitigation Implement token access control and permissions Apply the principle of least privilege when assigning permissions to tokens.
Each token should only be granted the minimum necessary permissions to perform its intended operations, and should not have unnecessary write or delete permissions.
M1124
Mitigation
Mitigation Use token encryption and obfuscation Use encryption or obfuscation techniques to protect tokens when they are stored in applications or transmitted over networks.
This can prevent attackers from easily extracting or intercepting tokens from source code or network traffic.

Detections

ID
TYPE
SUMMARY
DESCRIPTION
D1120
Detection
Detection Implement source code scanning for credentials and tokens Set up monitoring of reported issues based on regular credentials scanning results.
Scan web applications for embedded secrets and credentials. It is particularily important after deployment to a web endpoint that you scan that newly deployed app for secrets, credentials and other sensitive data.
D1260
Detection
Detection Implement regular security audit and review Conduct regular security audits and vulnerability assessments of your systems and storages configurations to identify and address any potential misconfigurations or vulnerabilities that could lead to exposed storage.
This includes reviewing access controls, encryption settings, and other security configurations to ensure they are aligned with best practices and organizational security policies.
D1261
Detection
Detection Implement penetration testing Penetration testing, also known as ethical hacking or vulnerability assessment, is a proactive approach to mitigating cybersecurity risks.
It involves simulating real-world cyber attacks on a system, network, or application in a controlled and authorized manner to identify vulnerabilities and weaknesses that could be exploited by malicious actors.
D1262
Detection
Detection Implement vulnerability assesment Vulnerability assessment is a proactive approach to mitigating cybersecurity risks by systematically identifying, evaluating, and prioritizing vulnerabilities in a system, network, or application.
It involves conducting regular assessments to identify potential weaknesses that could be exploited by attackers, and taking appropriate actions to remediate or mitigate those vulnerabilities.
D1500
Detection
Detection Configure monitoring of used artifacts and open-source libraries Implement regular scanning of used artifacts and open-source libraries for known vulnerabilities.
Set up monitoring of reported issues based on regular scanning results.

References

  1. https://docs.github.com/en/actions/security-guides/automatic-token-authentication
  2. https://support.google.com/googleapi/answer/6310037?hl=en
Group 1000004924

OSC&R Threat Report Uncovers Urgent Software Supply Chain Risks

AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
Download Report Download