Leakz is Caido's passive workflow to find potential leaked secrets, PII, and sensitive fields.
- Download the workflow file via releases page or:
wget https://github.com/dwisiswant0/leakz/raw/master/dist/Leakz.json. - In Caido, navigate to Testing > Workflows, then Import the workflow file.
— or
- Just execute:
bun run workflow:install. - After that, refresh your Caido instance by right-clicking and selecting Reload.
Tip
To update, you must first uninstall it using bun run workflow:uninstall,
and then reinstall it to apply the changes,
or simply execute bun run workflow:update.
That's it!
Important
Response interception needs to be enabled for this passive workflow to work properly.
Note
Bun toolkit is required.
- Build (bundled) the sources:
bun run build. - Compile into Caido workflow:
bun run compile.
Currently, I understand that it's challenging to selectively opt-in or out of certain kinds of leaks and/or to exclude specific patterns while maintaining good UX.
By default, Leakz does NOT scan for PII & sensitive fields; you can configure this in the config.ts file and then rebuild and compile the source to apply them.
Leakz currently does not offer scanning for leaks in request/response headers. See caido/caido#972.
The patterns is curated from mazen160/secrets-patterns-db.
Leakz is released with ♡ by @dwisiswant0 under the Apache 2.0 license. See LICENSE.