TL;DR Release of Conkeyscan – A Confluence Keyword/Secret Scanner, which is tailored towards pentesters.

Secrets Everywhere

Many companies, especially larger ones, need to store knowledge in a centralized way. A wiki is the usual choice for this. One product that is frequently used for this purpose is Confluence from Atlassian. Similar to how sensitive data being stored on traditional shares, sensitive data is quite often stored in Wikis as well. Finding these secrets is the core feature of Conkeyscan – A Pentesters Confluence Keyword Scanner.

Navigating The Tooling Landscape

The publicly available tooling to scan Confluence Wikis for keywords and secrets is quite extensive, but it is not primarily aimed at offensive security testers. In contrast, there are various tools for compliance scans, some of which can also be used in pentesting situations but with some drawbacks. This led to the creation of Conkeyscan.

Conkeyscan

Conkeyscan is available to the community on GitHub https://github.com/CompassSecurity/conkeyscan and can be installed via PyPI.

pip install conkeyscan

A minimal scan can then be started as follows:

conkeyscan -url 'https://example.atlassian.net'  --username 'ex@amp.le' --password 'ATAT...'

2024-03-06 15:09:32.693 | INFO     | conkeyscan.conkeyscan:main:165 - Applying rate limit of 100 requests per second
2024-03-06 15:09:32.696 | INFO     | conkeyscan.conkeyscan:main:205 - Searching as user ex@amp.le
2024-03-06 15:09:32.696 | INFO     | conkeyscan.conkeyscan:main:206 - Searching for 123 keywords
2024-03-06 15:09:32.696 | INFO     | conkeyscan.conkeyscan:main:207 - Logging to conkeyscan_results_2024_03_06_15_09.log and stdout
2024-03-06 15:09:32.696 | INFO     | conkeyscan.conkeyscan:main:208 - Storing results to ./results
2024-03-06 15:09:37.066 | INFO     | conkeyscan.conkeyscan:extract_keyword_hits:68 - [Keyword: authorization_key] [URL: https://example.atlassian.net/wiki/spaces/SD/pages/6422530/authorization_key] [Title: authorization_key] [authorization_key test my number is very_secret_info]
2024-03-06 15:09:40.720 | INFO     | conkeyscan.conkeyscan:extract_keyword_hits:68 - [Keyword: key] [URL: https://example.atlassian.net/wiki/spaces/~712020f4c03a500e1b4cbeb9805d2430478027/pages/33137/secret+test+page] [Title: secret test page] [key zaCELgL. 0imfbc8mVLKWwsAawjYr4Rx-Bf50DDqtlx-----BE]

Note: As always it is much more efficient to use a customized dictionary instead of using the built-in one.

Conkeyscan uses the search API and then scans the relevant pages and exports the hits to a Logfile and stores the scanned pages as JSON files to disk for further analysis.

It makes no difference whether a self-hosted or cloud Confluence is scanned. The authentication methods supported are passwords or API keys.

Feature Set

The following features have been implemented:

  • Search for provided keywords
  • Handle rate limiting (manually/automatically)
  • HTTP/SOCKS proxying
  • Search with a custom CQL (Confluence Query Language) expression
  • User Agent customization
  • Extensive logging
  • Toggle SSL/TLS verification

The options:

conkeyscan -h                                                                                                                                                    
Usage: conkeyscan [OPTIONS]

Scan Confluence for keywords using CQL search queries

Options:
  -u, --url=STR                   URL of the Confluence instance
  --username, --usr=STR           The username of the account to be used
  --password, --pwd=STR           The according password OR an API key!
  -d, --dict-path=STR             The path to the dictionary file containing the keywords to search for, falls back to included dict (default:
                                  ./src/conkeyscan/config/dict.txt)
  -c, --cql=STR                   A custom CQL query which must include KEYWORD_PLACEHOLDER at least once in the string which will be repalced by the keyword (default:
                                  {text~"KEYWORD_PLACEHOLDER"})
  -k, --disable-ssl-checks=BOOL   Specify whether to verify SSL/TLS certificates (default: True)
  -r, --rate-limit=INT            Max requests per second (default: 100)
  -p, --proxy=STR                 The HTTP or SOCKS proxy to be used (examples: socks5://127.0.0.1:1337 or http://127.0.0.1:8080 ) (default: )
  -a, --user-agent=STR            Custom user agent string (default randomly selected) (default: )
  -l, --log-level=STR             Custom loguru log level, one of: TRACE, DEBUG, INFO, SUCCESS, WARNING, ERROR, CRITICAL (default: INFO)

Other actions:
  -h, --help                      Show the help

Limitations

Currently page history, comments or attachments are excluded from the scan. Moreover, it is not possible to scan all pages; other tools such as n0s1 are better suited for this.

Contributions Welcome

If you want to contribute a feature or bug fix, feel free to create a pull request or an issue!