For ease of development, the PHP-based Laravel framework and python-based Django web applications often use debug mode. Despite the convenience provided by debug mode, it also poses a problem for the Laravel framework and Django because once activated it exposes sensitive information to error messages. You can search for sites with Django debug mode enabled in the criminalip asset search using the following filters
“DisallowedHost at“
Django sites with debug mode enabled, exposing sensitive information to error messages
The HTTP request headers exposed on the Django web application contain not only the API Key mentioned so far, but also authentication-related information such as Admin and password, as well as the DB account.
Django site exposing sensitive information such as admin and password
You can also use the filter below to find Laravel sites with debug mode enabled.
title: “Whoops! There was an error”
Result when searching for the title: "Whoops! There was an error"
Laravel debug mode is activated in all of these searched IP addresses, when accessing, you will be able to see information about APP Key, DB account and password in the error message.
Laravel website exposed sensitive information such as database accounts and passwords
API key exposed as a text file
If you search for "APIKEY.txt" in Asset Search, you'll find something interesting.
APIKey.txt
Results when searching for "APIKey.txt" in criminalip asset search
Browsing a searched site, it's hard to tell what the site's purpose is. However, the page source code can give you a clear idea of what this page is all about.
Sleepy
Website after searching for APIKey.txt
The page source code shows that this website uses Firebase as its database. Under firebase Configuration, you can see that the API Key, AuthDomain, and AppID published when using the firebase SDK are exposed.
The page credentials of the aforementioned website were exposed.
We also found a website that appears to be a Chinese RESTfull API that exposes the Admin's Access Token hash.
criminalip often displays HTML files containing credentials that tend to go unattended due to testing or error. For example, the image below is an HTML file with an Amazon Cloud Service (AWS) IAM metabase or DynamoDB AWS key.
1) HTML file with IAM metadata. Find the user account.
Angel
HTML file showing user account in AWS IAM metadata
2) HTML file with DYnamoDB, one of the main AWS NoSQL servers. Credentials including Access Key ID and Secret Key are exposed
DynamoDB Admin
Results when searching for AWS DynamoDB admin in criminalip asset search
Heart
This forum account is currently banned. Ban Length: (Permanent).
Ban Reason: Sorry, but you were banned for a reason. We cannot allow scammers on our forum.
“DisallowedHost at“
Django sites with debug mode enabled, exposing sensitive information to error messages
The HTTP request headers exposed on the Django web application contain not only the API Key mentioned so far, but also authentication-related information such as Admin and password, as well as the DB account.
Django site exposing sensitive information such as admin and password
You can also use the filter below to find Laravel sites with debug mode enabled.
title: “Whoops! There was an error”
Result when searching for the title: "Whoops! There was an error"
Laravel debug mode is activated in all of these searched IP addresses, when accessing, you will be able to see information about APP Key, DB account and password in the error message.
Laravel website exposed sensitive information such as database accounts and passwords
API key exposed as a text file
If you search for "APIKEY.txt" in Asset Search, you'll find something interesting.
APIKey.txt
Results when searching for "APIKey.txt" in criminalip asset search
Browsing a searched site, it's hard to tell what the site's purpose is. However, the page source code can give you a clear idea of what this page is all about.
Sleepy
Website after searching for APIKey.txt
The page source code shows that this website uses Firebase as its database. Under firebase Configuration, you can see that the API Key, AuthDomain, and AppID published when using the firebase SDK are exposed.
The page credentials of the aforementioned website were exposed.
We also found a website that appears to be a Chinese RESTfull API that exposes the Admin's Access Token hash.
criminalip often displays HTML files containing credentials that tend to go unattended due to testing or error. For example, the image below is an HTML file with an Amazon Cloud Service (AWS) IAM metabase or DynamoDB AWS key.
1) HTML file with IAM metadata. Find the user account.
Angel
HTML file showing user account in AWS IAM metadata
2) HTML file with DYnamoDB, one of the main AWS NoSQL servers. Credentials including Access Key ID and Secret Key are exposed
DynamoDB Admin
Results when searching for AWS DynamoDB admin in criminalip asset search
Heart
This forum account is currently banned. Ban Length: (Permanent).
Ban Reason: Sorry, but you were banned for a reason. We cannot allow scammers on our forum.
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding